diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-01-25 17:53:21 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-01-25 17:53:21 +0100 |
commit | 30ab4eae6a196102285fd649119fa2d9afe35a32 (patch) | |
tree | 341ec7bfbe8dceff44fea23a8483063d74902f2d | |
parent | cced587d766b9194b698a156d241766d5bad8a9d (diff) | |
download | conntrack-tools-30ab4eae6a196102285fd649119fa2d9afe35a32.tar.gz conntrack-tools-30ab4eae6a196102285fd649119fa2d9afe35a32.zip |
netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP
TIME_WAIT state. This patch is a workaround, the daemon should
propagate the internal TCP flags to make it fully independent of
possible changes in the TCP tracking code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/netlink.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/netlink.c b/src/netlink.c index 24d61a0..a9e3d2d 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -27,6 +27,7 @@ #include <sys/types.h> #include <sys/socket.h> #include <sys/fcntl.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> struct nfct_handle *nl_init_event_handler(void) { @@ -226,6 +227,12 @@ int nl_create_conntrack(struct nfct_handle *h, if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; + + /* FIXME: workaround, we should send TCP flags in updates */ + if (nfct_get_attr_u32(ct, ATTR_TCP_STATE) == + TCP_CONNTRACK_TIME_WAIT) { + flags |= IP_CT_TCP_FLAG_CLOSE_INIT; + } nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); @@ -285,6 +292,12 @@ int nl_update_conntrack(struct nfct_handle *h, if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; + + /* FIXME: workaround, we should send TCP flags in updates */ + if (nfct_get_attr_u32(ct, ATTR_TCP_STATE) == + TCP_CONNTRACK_TIME_WAIT) { + flags |= IP_CT_TCP_FLAG_CLOSE_INIT; + } nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); |