summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-01-25 17:53:21 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2009-01-25 17:53:21 +0100
commit30ab4eae6a196102285fd649119fa2d9afe35a32 (patch)
tree341ec7bfbe8dceff44fea23a8483063d74902f2d
parentcced587d766b9194b698a156d241766d5bad8a9d (diff)
netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP TIME_WAIT state. This patch is a workaround, the daemon should propagate the internal TCP flags to make it fully independent of possible changes in the TCP tracking code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/netlink.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 24d61a0..a9e3d2d 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/fcntl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
struct nfct_handle *nl_init_event_handler(void)
{
@@ -226,6 +227,12 @@ int nl_create_conntrack(struct nfct_handle *h,
if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
IP_CT_TCP_FLAG_SACK_PERM;
+
+ /* FIXME: workaround, we should send TCP flags in updates */
+ if (nfct_get_attr_u32(ct, ATTR_TCP_STATE) ==
+ TCP_CONNTRACK_TIME_WAIT) {
+ flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+ }
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
@@ -285,6 +292,12 @@ int nl_update_conntrack(struct nfct_handle *h,
if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
IP_CT_TCP_FLAG_SACK_PERM;
+
+ /* FIXME: workaround, we should send TCP flags in updates */
+ if (nfct_get_attr_u32(ct, ATTR_TCP_STATE) ==
+ TCP_CONNTRACK_TIME_WAIT) {
+ flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+ }
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);