summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/netlink.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c
index e9b1cfd..8b02ac5 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -301,7 +301,7 @@ int nl_create_conntrack(struct nf_conntrack *ct)
{
uint8_t flags;
- /* XXX: related connections */
+ /* we hit error if we try to change the expected bit */
if (nfct_attr_is_set(ct, ATTR_STATUS)) {
uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS);
status &= ~IPS_EXPECTED;
@@ -325,6 +325,8 @@ int nl_create_conntrack(struct nf_conntrack *ct)
/* This function modifies the conntrack passed as argument! */
int nl_update_conntrack(struct nf_conntrack *ct)
{
+ uint8_t flags;
+
/* unset NAT info, otherwise we hit error */
nfct_attr_unset(ct, ATTR_SNAT_IPV4);
nfct_attr_unset(ct, ATTR_DNAT_IPV4);
@@ -349,7 +351,18 @@ int nl_update_conntrack(struct nf_conntrack *ct)
nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
}
- return nl_create_conntrack(ct);
+ nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
+
+ /*
+ * TCP flags to overpass window tracking for recovered connections
+ */
+ flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM;
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
+
+ return nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
}
int nl_destroy_conntrack(struct nf_conntrack *ct)