summaryrefslogtreecommitdiffstats
path: root/extensions/libct_proto_tcp.c
diff options
context:
space:
mode:
Diffstat (limited to 'extensions/libct_proto_tcp.c')
-rw-r--r--extensions/libct_proto_tcp.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index ac54ac7..cb573d0 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -202,6 +202,20 @@ static void final_check(unsigned int flags,
break;
}
}
+ /* Disable TCP window tracking for manually created TCP entries,
+ * otherwise this will not work. */
+ uint8_t tcp_flags = IP_CT_TCP_FLAG_BE_LIBERAL |
+ IP_CT_TCP_FLAG_SACK_PERM;
+
+ /* This allows to reopen a new connection directly from TIME-WAIT
+ * as RFC 1122 states. See nf_conntrack_proto_tcp.c for more info. */
+ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT)
+ tcp_flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, tcp_flags);
}
static struct ctproto_handler tcp = {