conntrackd: add support for TCP window scale factor synchronization

This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

5 files changed, 44 insertions, 10 deletions

diff --git a/src/build.c b/src/build.c
index 6d8b12e..0bfe8c1 100644
--- a/src/build.c
+++ b/src/build.c
@@ -103,6 +103,10 @@ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
 		return;
 
 	__build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
+	if (CONFIG(sync).tcp_window_tracking) {
+		__build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG);
+		__build_u8(ct, ATTR_TCP_WSCALE_REPL, n, NTA_TCP_WSCALE_REPL);
+	}
 }
 
 static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
diff --git a/src/netlink.c b/src/netlink.c
index a43f782..5b6452a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -196,12 +196,12 @@ int nl_create_conntrack(struct nfct_handle *h,
 
 	nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
 
-	/*
-	 * TCP flags to overpass window tracking for recovered connections
-	 */
+	/* disable TCP window tracking for recovered connections if required */
 	if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
-		uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
-				IP_CT_TCP_FLAG_SACK_PERM;
+		uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+		if (!CONFIG(sync).tcp_window_tracking)
+			flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 
 		/* FIXME: workaround, we should send TCP flags in updates */
 		if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
@@ -261,12 +261,12 @@ int nl_update_conntrack(struct nfct_handle *h,
 		nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
 	}
 
-	/*
-	 * TCP flags to overpass window tracking for recovered connections
-	 */
+	/* disable TCP window tracking for recovered connections if required */
 	if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
-		uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
-				IP_CT_TCP_FLAG_SACK_PERM;
+		uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+		if (!CONFIG(sync).tcp_window_tracking)
+			flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 
 		/* FIXME: workaround, we should send TCP flags in updates */
 		if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
diff --git a/src/parse.c b/src/parse.c
index e6eefe4..3eb7f44 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -161,6 +161,16 @@ static struct parser h[NTA_MAX] = {
 		.attr	= ATTR_ICMP_ID,
 		.size	= NTA_SIZE(sizeof(uint16_t)),
 	},
+	[NTA_TCP_WSCALE_ORIG] = {
+		.parse	= parse_u8,
+		.attr	= ATTR_TCP_WSCALE_ORIG,
+		.size	= NTA_SIZE(sizeof(uint8_t)),
+	},
+	[NTA_TCP_WSCALE_REPL] = {
+		.parse	= parse_u8,
+		.attr	= ATTR_TCP_WSCALE_REPL,
+		.size	= NTA_SIZE(sizeof(uint8_t)),
+	},
 };
 
 static void
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index b2d4bdb..f005099 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -138,6 +138,8 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "NetlinkEventsReliable"		{ return T_NETLINK_EVENTS_RELIABLE; }
 "DisableInternalCache"		{ return T_DISABLE_INTERNAL_CACHE; }
 "DisableExternalCache"		{ return T_DISABLE_EXTERNAL_CACHE; }
+"Options"			{ return T_OPTIONS; }
+"TCPWindowTracking"		{ return T_TCP_WINDOW_TRACKING; }
 "ErrorQueueLength"		{ return T_ERROR_QUEUE_LENGTH; }
 
 {is_on}			{ return T_ON; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 5f4e6be..bc76e92 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -73,6 +73,7 @@ static void __max_dedicated_links_reached(void);
 %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
+%token T_OPTIONS T_TCP_WINDOW_TRACKING
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -808,8 +809,25 @@ sync_line: refreshtime
 	 | state_replication
 	 | cache_writethrough
 	 | destroy_timeout
+	 | option_line
 	 ;
 
+option_line: T_OPTIONS '{' options '}';
+
+options:
+       | options option 
+       ;
+
+option: T_TCP_WINDOW_TRACKING T_ON
+{
+	CONFIG(sync).tcp_window_tracking = 1;
+};
+
+option: T_TCP_WINDOW_TRACKING T_OFF
+{
+	CONFIG(sync).tcp_window_tracking = 0;
+};
+
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
 {
 	conf.flags |= CTD_SYNC_ALARM;