netlink: avoid errors related to the expected bit handling

We hit error if we try to change the expected bit for already existing
conntracks. On the other hand, if the conntrack does not exist, do not
change the expected bit, otherwise we also hit error.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 15 insertions, 2 deletions

diff --git a/src/netlink.c b/src/netlink.c
index e9b1cfd..8b02ac5 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -301,7 +301,7 @@ int nl_create_conntrack(struct nf_conntrack *ct)
 {
 	uint8_t flags;
 
-	/* XXX: related connections */
+	/* we hit error if we try to change the expected bit */
 	if (nfct_attr_is_set(ct, ATTR_STATUS)) {
 		uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS);
 		status &= ~IPS_EXPECTED;
@@ -325,6 +325,8 @@ int nl_create_conntrack(struct nf_conntrack *ct)
 /* This function modifies the conntrack passed as argument! */
 int nl_update_conntrack(struct nf_conntrack *ct)
 {
+	uint8_t flags;
+
 	/* unset NAT info, otherwise we hit error */
 	nfct_attr_unset(ct, ATTR_SNAT_IPV4);
 	nfct_attr_unset(ct, ATTR_DNAT_IPV4);
@@ -349,7 +351,18 @@ int nl_update_conntrack(struct nf_conntrack *ct)
 		nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
 	}
 
-	return nl_create_conntrack(ct);
+	nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
+
+	/*
+	 * TCP flags to overpass window tracking for recovered connections
+	 */
+	flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM;
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
+
+	return nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
 }
 
 int nl_destroy_conntrack(struct nf_conntrack *ct)