diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-29 20:02:55 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-02-11 12:06:37 +0100 |
| commit | 56817d1c0cc30bcd65c56c2f73634b256603cc4d (patch) | |
| tree | 4c37a3d1416f0d17658f37502fc5a9b15f68c65e | |
| parent | 73da80df0c3cf4175662b3da4dfbd3574d34f96a (diff) | |
conntrackd: add support for TCP window scale factor synchronization
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | doc/sync/alarm/conntrackd.conf | 11 | ||||
| -rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 10 | ||||
| -rw-r--r-- | doc/sync/notrack/conntrackd.conf | 11 | ||||
| -rw-r--r-- | include/conntrackd.h | 1 | ||||
| -rw-r--r-- | include/network.h | 2 | ||||
| -rw-r--r-- | src/build.c | 4 | ||||
| -rw-r--r-- | src/netlink.c | 20 | ||||
| -rw-r--r-- | src/parse.c | 10 | ||||
| -rw-r--r-- | src/read_config_lex.l | 2 | ||||
| -rw-r--r-- | src/read_config_yy.y | 18 |
10 files changed, 79 insertions, 10 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 9b7d8c6..65c8715 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -180,6 +180,17 @@ Sync { # # Checksum on # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # + # TCPWindowTracking Off + # } } # diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 877ed68..481fe8b 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -204,6 +204,16 @@ Sync { # Checksum on # } + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # + # TCPWindowTracking Off + # } } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 693209a..430ca25 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -242,6 +242,17 @@ Sync { # # Checksum on # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # + # TCPWindowTracking Off + # } } # diff --git a/include/conntrackd.h b/include/conntrackd.h index c7f33f0..b35c95d 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -102,6 +102,7 @@ struct ct_conf { struct { int internal_cache_disable; int external_cache_disable; + int tcp_window_tracking; } sync; struct { int events_reliable; diff --git a/include/network.h b/include/network.h index 70812b1..567317b 100644 --- a/include/network.h +++ b/include/network.h @@ -220,6 +220,8 @@ enum nta_attr { NTA_ICMP_TYPE, /* uint8_t */ NTA_ICMP_CODE, /* uint8_t */ NTA_ICMP_ID, /* uint16_t */ + NTA_TCP_WSCALE_ORIG, /* uint8_t */ + NTA_TCP_WSCALE_REPL, /* uint8_t */ NTA_MAX }; diff --git a/src/build.c b/src/build.c index 6d8b12e..0bfe8c1 100644 --- a/src/build.c +++ b/src/build.c @@ -103,6 +103,10 @@ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n) return; __build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE); + if (CONFIG(sync).tcp_window_tracking) { + __build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG); + __build_u8(ct, ATTR_TCP_WSCALE_REPL, n, NTA_TCP_WSCALE_REPL); + } } static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n) diff --git a/src/netlink.c b/src/netlink.c index a43f782..5b6452a 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -196,12 +196,12 @@ int nl_create_conntrack(struct nfct_handle *h, nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); - /* - * TCP flags to overpass window tracking for recovered connections - */ + /* disable TCP window tracking for recovered connections if required */ if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { - uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL | - IP_CT_TCP_FLAG_SACK_PERM; + uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM; + + if (!CONFIG(sync).tcp_window_tracking) + flags |= IP_CT_TCP_FLAG_BE_LIBERAL; /* FIXME: workaround, we should send TCP flags in updates */ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= @@ -261,12 +261,12 @@ int nl_update_conntrack(struct nfct_handle *h, nfct_attr_unset(ct, ATTR_MASTER_PORT_DST); } - /* - * TCP flags to overpass window tracking for recovered connections - */ + /* disable TCP window tracking for recovered connections if required */ if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { - uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL | - IP_CT_TCP_FLAG_SACK_PERM; + uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM; + + if (!CONFIG(sync).tcp_window_tracking) + flags |= IP_CT_TCP_FLAG_BE_LIBERAL; /* FIXME: workaround, we should send TCP flags in updates */ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= diff --git a/src/parse.c b/src/parse.c index e6eefe4..3eb7f44 100644 --- a/src/parse.c +++ b/src/parse.c @@ -161,6 +161,16 @@ static struct parser h[NTA_MAX] = { .attr = ATTR_ICMP_ID, .size = NTA_SIZE(sizeof(uint16_t)), }, + [NTA_TCP_WSCALE_ORIG] = { + .parse = parse_u8, + .attr = ATTR_TCP_WSCALE_ORIG, + .size = NTA_SIZE(sizeof(uint8_t)), + }, + [NTA_TCP_WSCALE_REPL] = { + .parse = parse_u8, + .attr = ATTR_TCP_WSCALE_REPL, + .size = NTA_SIZE(sizeof(uint8_t)), + }, }; static void diff --git a/src/read_config_lex.l b/src/read_config_lex.l index b2d4bdb..f005099 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -138,6 +138,8 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "NetlinkEventsReliable" { return T_NETLINK_EVENTS_RELIABLE; } "DisableInternalCache" { return T_DISABLE_INTERNAL_CACHE; } "DisableExternalCache" { return T_DISABLE_EXTERNAL_CACHE; } +"Options" { return T_OPTIONS; } +"TCPWindowTracking" { return T_TCP_WINDOW_TRACKING; } "ErrorQueueLength" { return T_ERROR_QUEUE_LENGTH; } {is_on} { return T_ON; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 5f4e6be..bc76e92 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -73,6 +73,7 @@ static void __max_dedicated_links_reached(void); %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH +%token T_OPTIONS T_TCP_WINDOW_TRACKING %token <string> T_IP T_PATH_VAL %token <val> T_NUMBER @@ -808,8 +809,25 @@ sync_line: refreshtime | state_replication | cache_writethrough | destroy_timeout + | option_line ; +option_line: T_OPTIONS '{' options '}'; + +options: + | options option + ; + +option: T_TCP_WINDOW_TRACKING T_ON +{ + CONFIG(sync).tcp_window_tracking = 1; +}; + +option: T_TCP_WINDOW_TRACKING T_OFF +{ + CONFIG(sync).tcp_window_tracking = 0; +}; + sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' { conf.flags |= CTD_SYNC_ALARM; |