diff options
-rw-r--r-- | include/linux/netfilter/nf_conntrack_tcp.h | 4 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_dccp.c | 4 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 18 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 6 | ||||
-rw-r--r-- | net/netfilter/xt_hashlimit.c | 2 |
5 files changed, 33 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index 3066789b972a..b2f384d42611 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h | |||
@@ -35,6 +35,9 @@ enum tcp_conntrack { | |||
35 | /* Has unacknowledged data */ | 35 | /* Has unacknowledged data */ |
36 | #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 | 36 | #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 |
37 | 37 | ||
38 | /* The field td_maxack has been set */ | ||
39 | #define IP_CT_TCP_FLAG_MAXACK_SET 0x20 | ||
40 | |||
38 | struct nf_ct_tcp_flags { | 41 | struct nf_ct_tcp_flags { |
39 | __u8 flags; | 42 | __u8 flags; |
40 | __u8 mask; | 43 | __u8 mask; |
@@ -46,6 +49,7 @@ struct ip_ct_tcp_state { | |||
46 | u_int32_t td_end; /* max of seq + len */ | 49 | u_int32_t td_end; /* max of seq + len */ |
47 | u_int32_t td_maxend; /* max of ack + max(win, 1) */ | 50 | u_int32_t td_maxend; /* max of ack + max(win, 1) */ |
48 | u_int32_t td_maxwin; /* max(win) */ | 51 | u_int32_t td_maxwin; /* max(win) */ |
52 | u_int32_t td_maxack; /* max of ack */ | ||
49 | u_int8_t td_scale; /* window scale factor */ | 53 | u_int8_t td_scale; /* window scale factor */ |
50 | u_int8_t flags; /* per direction options */ | 54 | u_int8_t flags; /* per direction options */ |
51 | }; | 55 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index 8e757dd53396..aee0d6bea309 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <linux/netfilter/nfnetlink_conntrack.h> | 22 | #include <linux/netfilter/nfnetlink_conntrack.h> |
23 | #include <net/netfilter/nf_conntrack.h> | 23 | #include <net/netfilter/nf_conntrack.h> |
24 | #include <net/netfilter/nf_conntrack_l4proto.h> | 24 | #include <net/netfilter/nf_conntrack_l4proto.h> |
25 | #include <net/netfilter/nf_conntrack_ecache.h> | ||
25 | #include <net/netfilter/nf_log.h> | 26 | #include <net/netfilter/nf_log.h> |
26 | 27 | ||
27 | static DEFINE_RWLOCK(dccp_lock); | 28 | static DEFINE_RWLOCK(dccp_lock); |
@@ -553,6 +554,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, | |||
553 | ct->proto.dccp.state = new_state; | 554 | ct->proto.dccp.state = new_state; |
554 | write_unlock_bh(&dccp_lock); | 555 | write_unlock_bh(&dccp_lock); |
555 | 556 | ||
557 | if (new_state != old_state) | ||
558 | nf_conntrack_event_cache(IPCT_PROTOINFO, ct); | ||
559 | |||
556 | dn = dccp_pernet(net); | 560 | dn = dccp_pernet(net); |
557 | nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]); | 561 | nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]); |
558 | 562 | ||
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b5ccf2b4b2e7..97a6e93d742e 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
634 | sender->td_end = end; | 634 | sender->td_end = end; |
635 | sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; | 635 | sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; |
636 | } | 636 | } |
637 | if (tcph->ack) { | ||
638 | if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) { | ||
639 | sender->td_maxack = ack; | ||
640 | sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET; | ||
641 | } else if (after(ack, sender->td_maxack)) | ||
642 | sender->td_maxack = ack; | ||
643 | } | ||
644 | |||
637 | /* | 645 | /* |
638 | * Update receiver data. | 646 | * Update receiver data. |
639 | */ | 647 | */ |
@@ -919,6 +927,16 @@ static int tcp_packet(struct nf_conn *ct, | |||
919 | return -NF_ACCEPT; | 927 | return -NF_ACCEPT; |
920 | case TCP_CONNTRACK_CLOSE: | 928 | case TCP_CONNTRACK_CLOSE: |
921 | if (index == TCP_RST_SET | 929 | if (index == TCP_RST_SET |
930 | && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) | ||
931 | && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) { | ||
932 | /* Invalid RST */ | ||
933 | write_unlock_bh(&tcp_lock); | ||
934 | if (LOG_INVALID(net, IPPROTO_TCP)) | ||
935 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | ||
936 | "nf_ct_tcp: invalid RST "); | ||
937 | return -NF_ACCEPT; | ||
938 | } | ||
939 | if (index == TCP_RST_SET | ||
922 | && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) | 940 | && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) |
923 | && ct->proto.tcp.last_index == TCP_SYN_SET) | 941 | && ct->proto.tcp.last_index == TCP_SYN_SET) |
924 | || (!test_bit(IPS_ASSURED_BIT, &ct->status) | 942 | || (!test_bit(IPS_ASSURED_BIT, &ct->status) |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index fd326ac27ec8..66a6dd5c519a 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf, | |||
581 | + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) | 581 | + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) |
582 | + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)); | 582 | + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)); |
583 | 583 | ||
584 | if (in && skb_mac_header_was_set(skb)) { | ||
585 | size += nla_total_size(skb->dev->hard_header_len) | ||
586 | + nla_total_size(sizeof(u_int16_t)) /* hwtype */ | ||
587 | + nla_total_size(sizeof(u_int16_t)); /* hwlen */ | ||
588 | } | ||
589 | |||
584 | spin_lock_bh(&inst->lock); | 590 | spin_lock_bh(&inst->lock); |
585 | 591 | ||
586 | if (inst->flags & NFULNL_CFG_F_SEQ) | 592 | if (inst->flags & NFULNL_CFG_F_SEQ) |
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index a5b5369c30f9..219dcdbe388c 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
@@ -926,7 +926,7 @@ static int dl_seq_show(struct seq_file *s, void *v) | |||
926 | if (!hlist_empty(&htable->hash[*bucket])) { | 926 | if (!hlist_empty(&htable->hash[*bucket])) { |
927 | hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node) | 927 | hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node) |
928 | if (dl_seq_real_show(ent, htable->family, s)) | 928 | if (dl_seq_real_show(ent, htable->family, s)) |
929 | return 1; | 929 | return -1; |
930 | } | 930 | } |
931 | return 0; | 931 | return 0; |
932 | } | 932 | } |