Commit 5263c68d authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Greg Kroah-Hartman

NETFILTER: nf_conntrack_tcp: fix connection reopening

Upstream commits: 17311393 + bc34b841 merged together.  Merge done by
Patrick McHardy <kaber@trash.net>

[NETFILTER]: nf_conntrack_tcp: fix connection reopening

With your description I could reproduce the bug and actually you were
completely right: the code above is incorrect. Somehow I was able to
misread RFC1122 and mixed the roles :-(:

   When a connection is >>closed actively<<, it MUST linger in
   TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
   However, it MAY >>accept<< a new SYN from the remote TCP to
   reopen the connection directly from TIME-WAIT state, if it:
   [...]

The fix is as follows: if the receiver initiated an active close, then the
sender may reopen the connection - otherwise try to figure out if we hold
a dead connection.
Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tested-by: default avatarKrzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 79d84e19
...@@ -839,6 +839,22 @@ static int tcp_packet(struct nf_conn *conntrack, ...@@ -839,6 +839,22 @@ static int tcp_packet(struct nf_conn *conntrack,
new_state = tcp_conntracks[dir][index][old_state]; new_state = tcp_conntracks[dir][index][old_state];
switch (new_state) { switch (new_state) {
case TCP_CONNTRACK_SYN_SENT:
if (old_state < TCP_CONNTRACK_TIME_WAIT)
break;
if ((conntrack->proto.tcp.seen[!dir].flags &
IP_CT_TCP_FLAG_CLOSE_INIT)
|| (conntrack->proto.tcp.last_dir == dir
&& conntrack->proto.tcp.last_index == TCP_RST_SET)) {
/* Attempt to reopen a closed/aborted connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)
conntrack);
return -NF_REPEAT;
}
/* Fall through */
case TCP_CONNTRACK_IGNORE: case TCP_CONNTRACK_IGNORE:
/* Ignored packets: /* Ignored packets:
* *
...@@ -888,27 +904,6 @@ static int tcp_packet(struct nf_conn *conntrack, ...@@ -888,27 +904,6 @@ static int tcp_packet(struct nf_conn *conntrack,
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: invalid state "); "nf_ct_tcp: invalid state ");
return -NF_ACCEPT; return -NF_ACCEPT;
case TCP_CONNTRACK_SYN_SENT:
if (old_state < TCP_CONNTRACK_TIME_WAIT)
break;
if ((conntrack->proto.tcp.seen[dir].flags &
IP_CT_TCP_FLAG_CLOSE_INIT)
|| after(ntohl(th->seq),
conntrack->proto.tcp.seen[dir].td_end)) {
/* Attempt to reopen a closed connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)
conntrack);
return -NF_REPEAT;
} else {
write_unlock_bh(&tcp_lock);
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL,
NULL, "nf_ct_tcp: invalid SYN");
return -NF_ACCEPT;
}
case TCP_CONNTRACK_CLOSE: case TCP_CONNTRACK_CLOSE:
if (index == TCP_RST_SET if (index == TCP_RST_SET
&& ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
...@@ -941,6 +936,7 @@ static int tcp_packet(struct nf_conn *conntrack, ...@@ -941,6 +936,7 @@ static int tcp_packet(struct nf_conn *conntrack,
in_window: in_window:
/* From now on we have got in-window packets */ /* From now on we have got in-window packets */
conntrack->proto.tcp.last_index = index; conntrack->proto.tcp.last_index = index;
conntrack->proto.tcp.last_dir = dir;
DEBUGP("tcp_conntracks: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu " DEBUGP("tcp_conntracks: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
"syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n", "syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment