From 56817d1c0cc30bcd65c56c2f73634b256603cc4d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 29 Dec 2009 20:02:55 +0100
Subject: conntrackd: add support for TCP window scale factor synchronization

This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/sync/alarm/conntrackd.conf   | 11 +++++++++++
 doc/sync/ftfw/conntrackd.conf    | 10 ++++++++++
 doc/sync/notrack/conntrackd.conf | 11 +++++++++++
 include/conntrackd.h             |  1 +
 include/network.h                |  2 ++
 src/build.c                      |  4 ++++
 src/netlink.c                    | 20 ++++++++++----------
 src/parse.c                      | 10 ++++++++++
 src/read_config_lex.l            |  2 ++
 src/read_config_yy.y             | 18 ++++++++++++++++++
 10 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 9b7d8c6..65c8715 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -180,6 +180,17 @@ Sync {
 		#
 		# Checksum on
 	# }
+
+	#
+	# Other unsorted options that are related to the synchronization.
+	#
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		#
+		# TCPWindowTracking Off
+	# }
 }
 
 #
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 877ed68..481fe8b 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -204,6 +204,16 @@ Sync {
 		# Checksum on
 	# }
 
+	# 
+	# Other unsorted options that are related to the synchronization.
+	# 
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		#
+		# TCPWindowTracking Off
+	# }
 }
 
 #
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 693209a..430ca25 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -242,6 +242,17 @@ Sync {
 		#
 		# Checksum on
 	# }
+
+	#
+	# Other unsorted options that are related to the synchronization.
+	#
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		#
+		# TCPWindowTracking Off
+	# }
 }
 
 #
diff --git a/include/conntrackd.h b/include/conntrackd.h
index c7f33f0..b35c95d 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -102,6 +102,7 @@ struct ct_conf {
 	struct {
 		int internal_cache_disable;
 		int external_cache_disable;
+		int tcp_window_tracking;
 	} sync;
 	struct {
 		int events_reliable;
diff --git a/include/network.h b/include/network.h
index 70812b1..567317b 100644
--- a/include/network.h
+++ b/include/network.h
@@ -220,6 +220,8 @@ enum nta_attr {
 	NTA_ICMP_TYPE,		/* uint8_t */
 	NTA_ICMP_CODE,		/* uint8_t */
 	NTA_ICMP_ID,		/* uint16_t */
+	NTA_TCP_WSCALE_ORIG,	/* uint8_t */
+	NTA_TCP_WSCALE_REPL,	/* uint8_t */
 	NTA_MAX
 };
 
diff --git a/src/build.c b/src/build.c
index 6d8b12e..0bfe8c1 100644
--- a/src/build.c
+++ b/src/build.c
@@ -103,6 +103,10 @@ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
 		return;
 
 	__build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
+	if (CONFIG(sync).tcp_window_tracking) {
+		__build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG);
+		__build_u8(ct, ATTR_TCP_WSCALE_REPL, n, NTA_TCP_WSCALE_REPL);
+	}
 }
 
 static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
diff --git a/src/netlink.c b/src/netlink.c
index a43f782..5b6452a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -196,12 +196,12 @@ int nl_create_conntrack(struct nfct_handle *h,
 
 	nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
 
-	/*
-	 * TCP flags to overpass window tracking for recovered connections
-	 */
+	/* disable TCP window tracking for recovered connections if required */
 	if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
-		uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
-				IP_CT_TCP_FLAG_SACK_PERM;
+		uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+		if (!CONFIG(sync).tcp_window_tracking)
+			flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 
 		/* FIXME: workaround, we should send TCP flags in updates */
 		if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
@@ -261,12 +261,12 @@ int nl_update_conntrack(struct nfct_handle *h,
 		nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
 	}
 
-	/*
-	 * TCP flags to overpass window tracking for recovered connections
-	 */
+	/* disable TCP window tracking for recovered connections if required */
 	if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
-		uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
-				IP_CT_TCP_FLAG_SACK_PERM;
+		uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+		if (!CONFIG(sync).tcp_window_tracking)
+			flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 
 		/* FIXME: workaround, we should send TCP flags in updates */
 		if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
diff --git a/src/parse.c b/src/parse.c
index e6eefe4..3eb7f44 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -161,6 +161,16 @@ static struct parser h[NTA_MAX] = {
 		.attr	= ATTR_ICMP_ID,
 		.size	= NTA_SIZE(sizeof(uint16_t)),
 	},
+	[NTA_TCP_WSCALE_ORIG] = {
+		.parse	= parse_u8,
+		.attr	= ATTR_TCP_WSCALE_ORIG,
+		.size	= NTA_SIZE(sizeof(uint8_t)),
+	},
+	[NTA_TCP_WSCALE_REPL] = {
+		.parse	= parse_u8,
+		.attr	= ATTR_TCP_WSCALE_REPL,
+		.size	= NTA_SIZE(sizeof(uint8_t)),
+	},
 };
 
 static void
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index b2d4bdb..f005099 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -138,6 +138,8 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "NetlinkEventsReliable"		{ return T_NETLINK_EVENTS_RELIABLE; }
 "DisableInternalCache"		{ return T_DISABLE_INTERNAL_CACHE; }
 "DisableExternalCache"		{ return T_DISABLE_EXTERNAL_CACHE; }
+"Options"			{ return T_OPTIONS; }
+"TCPWindowTracking"		{ return T_TCP_WINDOW_TRACKING; }
 "ErrorQueueLength"		{ return T_ERROR_QUEUE_LENGTH; }
 
 {is_on}			{ return T_ON; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 5f4e6be..bc76e92 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -73,6 +73,7 @@ static void __max_dedicated_links_reached(void);
 %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
+%token T_OPTIONS T_TCP_WINDOW_TRACKING
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -808,8 +809,25 @@ sync_line: refreshtime
 	 | state_replication
 	 | cache_writethrough
 	 | destroy_timeout
+	 | option_line
 	 ;
 
+option_line: T_OPTIONS '{' options '}';
+
+options:
+       | options option 
+       ;
+
+option: T_TCP_WINDOW_TRACKING T_ON
+{
+	CONFIG(sync).tcp_window_tracking = 1;
+};
+
+option: T_TCP_WINDOW_TRACKING T_OFF
+{
+	CONFIG(sync).tcp_window_tracking = 0;
+};
+
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
 {
 	conf.flags |= CTD_SYNC_ALARM;
-- 
cgit v1.2.3