1. 02 Jun, 2009 2 commits
    • Jozsef Kadlecsik's avatar
      netfilter: nf_ct_tcp: TCP simultaneous open support · 874ab923
      Jozsef Kadlecsik authored
      The patch below adds supporting TCP simultaneous open to conntrack. The
      unused LISTEN state is replaced by a new state (SYN_SENT2) denoting the
      second SYN sent from the reply direction in the new case. The state table
      is updated and the function tcp_in_window is modified to handle
      simultaneous open.
      
      The functionality can fairly easily be tested by socat. A sample tcpdump
      recording
      
      23:21:34.244733 IP (tos 0x0, ttl 64, id 49224, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xe75f (correct), 3383710133:3383710133(0) win 5840 <mss 1460,sackOK,timestamp 173445629 0,nop,wscale 7>
      23:21:34.244783 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.2020 > 192.168.0.254.2020: R, cksum 0x0253 (correct), 0:0(0) ack 3383710134 win 0
      23:21:36.038680 IP (tos 0x0, ttl 64, id 28092, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.2020 > 192.168.0.254.2020: S, cksum 0x704b (correct), 2634546729:2634546729(0) win 5840 <mss 1460,sackOK,timestamp 824213 0,nop,wscale 1>
      23:21:36.038777 IP (tos 0x0, ttl 64, id 49225, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xb179 (correct), 3383710133:3383710133(0) ack 2634546730 win 5840 <mss 1460,sackOK,timestamp 173447423 824213,nop,wscale 7>
      23:21:36.038847 IP (tos 0x0, ttl 64, id 28093, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.1.2020 > 192.168.0.254.2020: ., cksum 0xebad (correct), ack 3383710134 win 2920 <nop,nop,timestamp 824213 173447423>
      
      and the corresponding netlink events:
      
          [NEW] tcp      6 120 SYN_SENT src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 [UNREPLIED] src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 120 LISTEN src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 60 SYN_RECV src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 [ASSURED]
      
      The RST packet was dropped in the raw table, thus it did not reach
      conntrack.  nfnetlink_conntrack is unpatched so it shows the new SYN_SENT2
      state as the old unused LISTEN.
      
      With TCP simultaneous open support we satisfy REQ-2 in RFC 5382  ;-) .
      
      Additional minor correction in this patch is that in order to catch
      uninitialized reply directions, "td_maxwin == 0" is used instead of
      "td_end == 0" because the former can't be true except in uninitialized
      state while td_end may accidentally be equal to zero in the mid of a
      connection.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      874ab923
    • Patrick McHardy's avatar
      8cc848fa
  2. 27 May, 2009 34 commits
  3. 26 May, 2009 4 commits