Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 17311393 authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by David S. Miller
Browse files

[NETFILTER]: nf_conntrack_tcp: fix connection reopening 



With your description I could reproduce the bug and actually you were
completely right: the code above is incorrect. Somehow I was able to
misread RFC1122 and mixed the roles :-(:

   When a connection is >>closed actively<<, it MUST linger in
   TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
   However, it MAY >>accept<< a new SYN from the remote TCP to
   reopen the connection directly from TIME-WAIT state, if it:
   [...]

The fix is as follows: if the receiver initiated an active close, then the
sender may reopen the connection - otherwise try to figure out if we hold
a dead connection.

Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tested-by: default avatarKrzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d71fce6b

net/netfilter/nf_conntrack_proto_tcp.c

+14 −21
Original line number Diff line number Diff line
@@ -831,6 +831,20 @@ static int tcp_packet(struct nf_conn *conntrack, 
	tuple = &conntrack->tuplehash[dir].tuple;



	switch (new_state) {

	case TCP_CONNTRACK_SYN_SENT:

		if (old_state < TCP_CONNTRACK_TIME_WAIT)

			break;

		if (conntrack->proto.tcp.seen[!dir].flags &

			IP_CT_TCP_FLAG_CLOSE_INIT) {

			/* Attempt to reopen a closed connection.

			* Delete this connection and look up again. */

			write_unlock_bh(&tcp_lock);

			if (del_timer(&conntrack->timeout))

				conntrack->timeout.function((unsigned long)

							    conntrack);

			return -NF_REPEAT;

		}

		/* Fall through */

	case TCP_CONNTRACK_IGNORE:

		/* Ignored packets:

		 *
@@ -879,27 +893,6 @@ static int tcp_packet(struct nf_conn *conntrack, 
			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,

				  "nf_ct_tcp: invalid state ");

		return -NF_ACCEPT;

	case TCP_CONNTRACK_SYN_SENT:

		if (old_state < TCP_CONNTRACK_TIME_WAIT)

			break;

		if ((conntrack->proto.tcp.seen[dir].flags &

			IP_CT_TCP_FLAG_CLOSE_INIT)

		    || after(ntohl(th->seq),

			     conntrack->proto.tcp.seen[dir].td_end)) {

			/* Attempt to reopen a closed connection.

			* Delete this connection and look up again. */

			write_unlock_bh(&tcp_lock);

			if (del_timer(&conntrack->timeout))

				conntrack->timeout.function((unsigned long)

							    conntrack);

			return -NF_REPEAT;

		} else {

			write_unlock_bh(&tcp_lock);

			if (LOG_INVALID(IPPROTO_TCP))

				nf_log_packet(pf, 0, skb, NULL, NULL,

					      NULL, "nf_ct_tcp: invalid SYN");

			return -NF_ACCEPT;

		}

	case TCP_CONNTRACK_CLOSE:

		if (index == TCP_RST_SET

		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)