Commit 6a9378b5 authored by Harald Welte's avatar Harald Welte Committed by Linus Torvalds

[NETFILTER]: Optimization of ip_conntrack_proto_tcp:tcp_packet()

A: Pablo Neira
D: This patch cleans up tcp_packet().  No semantical change, just juggling
D: code pieces.
parent f0fdf5f8
...@@ -178,6 +178,16 @@ static int tcp_packet(struct ip_conntrack *conntrack, ...@@ -178,6 +178,16 @@ static int tcp_packet(struct ip_conntrack *conntrack,
if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0) if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
return -1; return -1;
/* If only reply is a RST, we can consider ourselves not to
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
immediately. --RR */
if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && tcph.rst) {
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)conntrack);
return NF_ACCEPT;
}
WRITE_LOCK(&tcp_lock); WRITE_LOCK(&tcp_lock);
oldtcpstate = conntrack->proto.tcp.state; oldtcpstate = conntrack->proto.tcp.state;
newconntrack newconntrack
...@@ -199,29 +209,21 @@ static int tcp_packet(struct ip_conntrack *conntrack, ...@@ -199,29 +209,21 @@ static int tcp_packet(struct ip_conntrack *conntrack,
/* Poor man's window tracking: record SYN/ACK for handshake check */ /* Poor man's window tracking: record SYN/ACK for handshake check */
if (oldtcpstate == TCP_CONNTRACK_SYN_SENT if (oldtcpstate == TCP_CONNTRACK_SYN_SENT
&& CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
&& tcph.syn && tcph.ack) && tcph.syn && tcph.ack) {
conntrack->proto.tcp.handshake_ack conntrack->proto.tcp.handshake_ack
= htonl(ntohl(tcph.seq) + 1); = htonl(ntohl(tcph.seq) + 1);
goto out;
}
/* If only reply is a RST, we can consider ourselves not to /* Set ASSURED if we see valid ack in ESTABLISHED after SYN_RECV */
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
immediately. --RR */
if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && tcph.rst) {
WRITE_UNLOCK(&tcp_lock);
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)conntrack);
} else {
/* Set ASSURED if we see see valid ack in ESTABLISHED after SYN_RECV */
if (oldtcpstate == TCP_CONNTRACK_SYN_RECV if (oldtcpstate == TCP_CONNTRACK_SYN_RECV
&& CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL
&& tcph.ack && !tcph.syn && tcph.ack && !tcph.syn
&& tcph.ack_seq == conntrack->proto.tcp.handshake_ack) && tcph.ack_seq == conntrack->proto.tcp.handshake_ack)
set_bit(IPS_ASSURED_BIT, &conntrack->status); set_bit(IPS_ASSURED_BIT, &conntrack->status);
WRITE_UNLOCK(&tcp_lock); out: WRITE_UNLOCK(&tcp_lock);
ip_ct_refresh(conntrack, *tcp_timeouts[newconntrack]); ip_ct_refresh(conntrack, *tcp_timeouts[newconntrack]);
}
return NF_ACCEPT; return NF_ACCEPT;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment