summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-12-23 23:29:06 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2009-12-23 23:29:06 +0100
commitb78aa333ae1a73683afd44b8819186a91784d929 (patch)
tree20f3310fdfcfdbe8da0acf2f9093831e1e6347a4
parentf49cfb7598c0433d3cb3dc3d829b510a205313f4 (diff)
conntrack: fix manually created TCP entries with window tracking enabled
With this patch, we allow to manually create TCP entries in the table. Basically, we disable TCP window tracking for this entry to avoid problems. Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--extensions/libct_proto_tcp.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index ac54ac7..cb573d0 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -202,6 +202,20 @@ static void final_check(unsigned int flags,
break;
}
}
+ /* Disable TCP window tracking for manually created TCP entries,
+ * otherwise this will not work. */
+ uint8_t tcp_flags = IP_CT_TCP_FLAG_BE_LIBERAL |
+ IP_CT_TCP_FLAG_SACK_PERM;
+
+ /* This allows to reopen a new connection directly from TIME-WAIT
+ * as RFC 1122 states. See nf_conntrack_proto_tcp.c for more info. */
+ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT)
+ tcp_flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, tcp_flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, tcp_flags);
}
static struct ctproto_handler tcp = {