diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-23 23:29:06 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-23 23:29:06 +0100 |
commit | b78aa333ae1a73683afd44b8819186a91784d929 (patch) | |
tree | 20f3310fdfcfdbe8da0acf2f9093831e1e6347a4 | |
parent | f49cfb7598c0433d3cb3dc3d829b510a205313f4 (diff) | |
download | conntrack-tools-b78aa333ae1a73683afd44b8819186a91784d929.tar.gz conntrack-tools-b78aa333ae1a73683afd44b8819186a91784d929.zip |
conntrack: fix manually created TCP entries with window tracking enabled
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.
Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | extensions/libct_proto_tcp.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index ac54ac7..cb573d0 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -202,6 +202,20 @@ static void final_check(unsigned int flags, break; } } + /* Disable TCP window tracking for manually created TCP entries, + * otherwise this will not work. */ + uint8_t tcp_flags = IP_CT_TCP_FLAG_BE_LIBERAL | + IP_CT_TCP_FLAG_SACK_PERM; + + /* This allows to reopen a new connection directly from TIME-WAIT + * as RFC 1122 states. See nf_conntrack_proto_tcp.c for more info. */ + if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT) + tcp_flags |= IP_CT_TCP_FLAG_CLOSE_INIT; + + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, tcp_flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, tcp_flags); + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, tcp_flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, tcp_flags); } static struct ctproto_handler tcp = { |