diff options
author | David S. Miller <davem@davemloft.net> | 2023-01-18 14:45:06 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2023-01-18 14:45:06 +0100 |
commit | 3e134696215f45740ef0ccd0fd67f409cb5009cc (patch) | |
tree | 7daf1ffbc7e6a3df23d8e7dcbd9217c749aa87c0 /net | |
parent | Merge tag 'for-net-2023-01-17' of git://git.kernel.org/pub/scm/linux/kernel/g... (diff) | |
parent | netfilter: conntrack: handle tcp challenge acks during connection reuse (diff) | |
download | linux-3e134696215f45740ef0ccd0fd67f409cb5009cc.tar.xz linux-3e134696215f45740ef0ccd0fd67f409cb5009cc.zip |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Niera Ayuso says:
====================
The following patchset contains Netfilter fixes for net:
1) Fix syn-retransmits until initiator gives up when connection is re-used
due to rst marked as invalid, from Florian Westphal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 656631083177..3ac1af6f59fc 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -1068,6 +1068,13 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ct->proto.tcp.last_flags |= IP_CT_EXP_CHALLENGE_ACK; } + + /* possible challenge ack reply to syn */ + if (old_state == TCP_CONNTRACK_SYN_SENT && + index == TCP_ACK_SET && + dir == IP_CT_DIR_REPLY) + ct->proto.tcp.last_ack = ntohl(th->ack_seq); + spin_unlock_bh(&ct->lock); nf_ct_l4proto_log_invalid(skb, ct, state, "packet (index %d) in dir %d ignored, state %s", @@ -1193,6 +1200,14 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, * segments we ignored. */ goto in_window; } + + /* Reset in response to a challenge-ack we let through earlier */ + if (old_state == TCP_CONNTRACK_SYN_SENT && + ct->proto.tcp.last_index == TCP_ACK_SET && + ct->proto.tcp.last_dir == IP_CT_DIR_REPLY && + ntohl(th->seq) == ct->proto.tcp.last_ack) + goto in_window; + break; default: /* Keep compilers happy. */ |