diff options
-rw-r--r-- | src/netlink.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c index e9b1cfd..8b02ac5 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -301,7 +301,7 @@ int nl_create_conntrack(struct nf_conntrack *ct) { uint8_t flags; - /* XXX: related connections */ + /* we hit error if we try to change the expected bit */ if (nfct_attr_is_set(ct, ATTR_STATUS)) { uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status &= ~IPS_EXPECTED; @@ -325,6 +325,8 @@ int nl_create_conntrack(struct nf_conntrack *ct) /* This function modifies the conntrack passed as argument! */ int nl_update_conntrack(struct nf_conntrack *ct) { + uint8_t flags; + /* unset NAT info, otherwise we hit error */ nfct_attr_unset(ct, ATTR_SNAT_IPV4); nfct_attr_unset(ct, ATTR_DNAT_IPV4); @@ -349,7 +351,18 @@ int nl_update_conntrack(struct nf_conntrack *ct) nfct_attr_unset(ct, ATTR_MASTER_PORT_DST); } - return nl_create_conntrack(ct); + nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); + + /* + * TCP flags to overpass window tracking for recovered connections + */ + flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); + + return nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct); } int nl_destroy_conntrack(struct nf_conntrack *ct) |