Commit 753ae03f authored by Harald Welte's avatar Harald Welte Committed by David S. Miller

[NETFILTER]: Add tcp window tracking

This is the tcp window tracking patch, incremental to all previous
changes.  It is now by default enabled (i.e. in 'conservative' mode).
If you think it's better to leave it disabled ('liberal' mode), you can
change ip_conntrack_tcp_be_liberal to a different default value.

Cheers,
Signed-off-by: default avatarJozsef Kadlecski <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
parent 51b03285
...@@ -262,6 +262,11 @@ extern void ip_ct_refresh_acct(struct ip_conntrack *ct, ...@@ -262,6 +262,11 @@ extern void ip_ct_refresh_acct(struct ip_conntrack *ct,
unsigned long extra_jiffies); unsigned long extra_jiffies);
/* These are for NAT. Icky. */ /* These are for NAT. Icky. */
/* Update TCP window tracking data when NAT mangles the packet */
extern int ip_conntrack_tcp_update(struct sk_buff *skb,
struct ip_conntrack *conntrack,
int dir);
/* Call me when a conntrack is destroyed. */ /* Call me when a conntrack is destroyed. */
extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack); extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
......
...@@ -4,25 +4,44 @@ ...@@ -4,25 +4,44 @@
enum tcp_conntrack { enum tcp_conntrack {
TCP_CONNTRACK_NONE, TCP_CONNTRACK_NONE,
TCP_CONNTRACK_ESTABLISHED,
TCP_CONNTRACK_SYN_SENT, TCP_CONNTRACK_SYN_SENT,
TCP_CONNTRACK_SYN_RECV, TCP_CONNTRACK_SYN_RECV,
TCP_CONNTRACK_ESTABLISHED,
TCP_CONNTRACK_FIN_WAIT, TCP_CONNTRACK_FIN_WAIT,
TCP_CONNTRACK_TIME_WAIT,
TCP_CONNTRACK_CLOSE,
TCP_CONNTRACK_CLOSE_WAIT, TCP_CONNTRACK_CLOSE_WAIT,
TCP_CONNTRACK_LAST_ACK, TCP_CONNTRACK_LAST_ACK,
TCP_CONNTRACK_TIME_WAIT,
TCP_CONNTRACK_CLOSE,
TCP_CONNTRACK_LISTEN, TCP_CONNTRACK_LISTEN,
TCP_CONNTRACK_MAX TCP_CONNTRACK_MAX,
TCP_CONNTRACK_IGNORE
};
/* Window scaling is advertised by the sender */
#define IP_CT_TCP_STATE_FLAG_WINDOW_SCALE 0x01
/* SACK is permitted by the sender */
#define IP_CT_TCP_FLAG_SACK_PERM 0x02
struct ip_ct_tcp_state {
u_int32_t td_end; /* max of seq + len */
u_int32_t td_maxend; /* max of ack + max(win, 1) */
u_int32_t td_maxwin; /* max(win) */
u_int8_t td_scale; /* window scale factor */
u_int8_t loose; /* used when connection picked up from the middle */
u_int8_t flags; /* per direction state flags */
}; };
struct ip_ct_tcp struct ip_ct_tcp
{ {
enum tcp_conntrack state; struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
u_int8_t state; /* state of the connection (enum tcp_conntrack) */
/* Poor man's window tracking: sequence number of valid ACK /* For detecting stale connections */
handshake completion packet */ u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */
u_int32_t handshake_ack; u_int8_t retrans; /* Number of retransmitted packets */
u_int8_t last_index; /* Index of the last packet */
u_int32_t last_seq; /* Last sequence number seen in dir */
u_int32_t last_end; /* Last seq + len */
}; };
#endif /* _IP_CONNTRACK_TCP_H */ #endif /* _IP_CONNTRACK_TCP_H */
...@@ -807,12 +807,13 @@ unsigned int ip_conntrack_in(unsigned int hooknum, ...@@ -807,12 +807,13 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
IP_NF_ASSERT((*pskb)->nfct); IP_NF_ASSERT((*pskb)->nfct);
ret = proto->packet(ct, *pskb, ctinfo); ret = proto->packet(ct, *pskb, ctinfo);
if (ret == -1) { if (ret < 0) {
/* Invalid */ /* Invalid: inverse of the return code tells
* the netfilter core what to do*/
nf_conntrack_put((*pskb)->nfct); nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL; (*pskb)->nfct = NULL;
__get_cpu_var(ip_conntrack_stat).invalid++; __get_cpu_var(ip_conntrack_stat).invalid++;
return NF_ACCEPT; return -ret;
} }
if (ret != NF_DROP && ct->helper) { if (ret != NF_DROP && ct->helper) {
......
This diff is collapsed.
...@@ -505,6 +505,10 @@ extern unsigned long ip_ct_tcp_timeout_close_wait; ...@@ -505,6 +505,10 @@ extern unsigned long ip_ct_tcp_timeout_close_wait;
extern unsigned long ip_ct_tcp_timeout_last_ack; extern unsigned long ip_ct_tcp_timeout_last_ack;
extern unsigned long ip_ct_tcp_timeout_time_wait; extern unsigned long ip_ct_tcp_timeout_time_wait;
extern unsigned long ip_ct_tcp_timeout_close; extern unsigned long ip_ct_tcp_timeout_close;
extern unsigned long ip_ct_tcp_timeout_max_retrans;
extern int ip_ct_tcp_loose;
extern int ip_ct_tcp_be_liberal;
extern int ip_ct_tcp_max_retrans;
/* From ip_conntrack_proto_udp.c */ /* From ip_conntrack_proto_udp.c */
extern unsigned long ip_ct_udp_timeout; extern unsigned long ip_ct_udp_timeout;
...@@ -647,6 +651,38 @@ static ctl_table ip_ct_sysctl_table[] = { ...@@ -647,6 +651,38 @@ static ctl_table ip_ct_sysctl_table[] = {
.extra1 = &log_invalid_proto_min, .extra1 = &log_invalid_proto_min,
.extra2 = &log_invalid_proto_max, .extra2 = &log_invalid_proto_max,
}, },
{
.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
.procname = "ip_conntrack_tcp_timeout_max_retrans",
.data = &ip_ct_tcp_timeout_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_LOOSE,
.procname = "ip_conntrack_tcp_loose",
.data = &ip_ct_tcp_loose,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec,
},
{
.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL,
.procname = "ip_conntrack_tcp_be_liberal",
.data = &ip_ct_tcp_be_liberal,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec,
},
{
.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS,
.procname = "ip_conntrack_tcp_max_retrans",
.data = &ip_ct_tcp_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec,
},
{ .ctl_name = 0 } { .ctl_name = 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment