From d8df7a62cf50cc1af868b22e4d301a78e7f5c450 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 7 Aug 2008 15:22:00 +0200 Subject: netlink: avoid errors related to the expected bit handling We hit error if we try to change the expected bit for already existing conntracks. On the other hand, if the conntrack does not exist, do not change the expected bit, otherwise we also hit error. Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/netlink.c b/src/netlink.c index e9b1cfd..8b02ac5 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -301,7 +301,7 @@ int nl_create_conntrack(struct nf_conntrack *ct) { uint8_t flags; - /* XXX: related connections */ + /* we hit error if we try to change the expected bit */ if (nfct_attr_is_set(ct, ATTR_STATUS)) { uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status &= ~IPS_EXPECTED; @@ -325,6 +325,8 @@ int nl_create_conntrack(struct nf_conntrack *ct) /* This function modifies the conntrack passed as argument! */ int nl_update_conntrack(struct nf_conntrack *ct) { + uint8_t flags; + /* unset NAT info, otherwise we hit error */ nfct_attr_unset(ct, ATTR_SNAT_IPV4); nfct_attr_unset(ct, ATTR_DNAT_IPV4); @@ -349,7 +351,18 @@ int nl_update_conntrack(struct nf_conntrack *ct) nfct_attr_unset(ct, ATTR_MASTER_PORT_DST); } - return nl_create_conntrack(ct); + nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); + + /* + * TCP flags to overpass window tracking for recovered connections + */ + flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); + + return nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct); } int nl_destroy_conntrack(struct nf_conntrack *ct) -- cgit v1.2.3