From f23d9e790a27d29462c2fb6185253349375cef12 Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Wed, 12 Sep 2007 12:48:34 +0000 Subject: Remove window tracking disabling limitation (requires Linux kernel >= 2.6.22) --- ChangeLog | 3 +++ src/cache_iterators.c | 13 +++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 447d171..6d1aa06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ version 0.9.6 (yet unreleased) o fix compilation problem due to missing headers (Krisztian Kovacs) o include kernel options and Fedora comments in the INSTALL file += conntrackd = +o Remove window tracking disabling limitation (requires Linux kernel >= 2.6.22) + version 0.9.5 (2007/07/29) ------------------------------ diff --git a/src/cache_iterators.c b/src/cache_iterators.c index 36f7364..287f92f 100644 --- a/src/cache_iterators.c +++ b/src/cache_iterators.c @@ -78,6 +78,7 @@ void cache_dump(struct cache *c, int fd, int type) static int do_commit(void *data1, void *data2) { int ret; + u_int8_t flags; struct cache *c = data1; struct us_conntrack *u = data2; struct nf_conntrack *ct = u->ct; @@ -97,10 +98,14 @@ static int do_commit(void *data1, void *data2) */ nfct_set_attr_u32(ct, ATTR_TIMEOUT, CONFIG(commit_timeout)); - if (ret == -1) { - dlog(STATE(log), "failed to build: %s", strerror(errno)); - return 0; - } + /* + * TCP flags to overpass window tracking for recovered connections + */ + flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); ret = nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct); if (ret == -1) { -- cgit v1.2.3