1. 02 Jun, 2009 7 commits
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: cleanup message-size calculation · 03b64f51
      Pablo Neira Ayuso authored
      This patch cleans up the message calculation to make it similar
      to rtnetlink, moreover, it removes unneeded verbose information.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      03b64f51
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: use nlmsg_* helper function to build messages · 96bcf938
      Pablo Neira Ayuso authored
      Replaces the old macros to build Netlink messages with the
      new nlmsg_*() helper functions.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      96bcf938
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: rename tuple() by nf_ct_tuple() macro definition · f2f3e38c
      Pablo Neira Ayuso authored
      This patch move the internal tuple() macro definition to the
      header file as nf_ct_tuple().
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f2f3e38c
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: remove nowait parameter from *fill_info() · 8b0a231d
      Pablo Neira Ayuso authored
      This patch is a cleanup, it removes the `nowait' parameter
      from all *fill_info() function since it is always set to one.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8b0a231d
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink: cleanup for nfnetlink_rcv_msg() function · f49c857f
      Pablo Neira Ayuso authored
      This patch cleans up the message handling path in two aspects:
      
       * it uses NLMSG_LENGTH() instead of NLMSG_SPACE() like rtnetlink
      does in this case to check if there is enough room for the
      Netlink/nfnetlink headers. No need to check for the padding room.
      
       * it removes a redundant header size checking that has been
       already do at the beginning of the function.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f49c857f
    • Jozsef Kadlecsik's avatar
      netfilter: nf_ct_tcp: TCP simultaneous open support · 874ab923
      Jozsef Kadlecsik authored
      The patch below adds supporting TCP simultaneous open to conntrack. The
      unused LISTEN state is replaced by a new state (SYN_SENT2) denoting the
      second SYN sent from the reply direction in the new case. The state table
      is updated and the function tcp_in_window is modified to handle
      simultaneous open.
      
      The functionality can fairly easily be tested by socat. A sample tcpdump
      recording
      
      23:21:34.244733 IP (tos 0x0, ttl 64, id 49224, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xe75f (correct), 3383710133:3383710133(0) win 5840 <mss 1460,sackOK,timestamp 173445629 0,nop,wscale 7>
      23:21:34.244783 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.2020 > 192.168.0.254.2020: R, cksum 0x0253 (correct), 0:0(0) ack 3383710134 win 0
      23:21:36.038680 IP (tos 0x0, ttl 64, id 28092, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.2020 > 192.168.0.254.2020: S, cksum 0x704b (correct), 2634546729:2634546729(0) win 5840 <mss 1460,sackOK,timestamp 824213 0,nop,wscale 1>
      23:21:36.038777 IP (tos 0x0, ttl 64, id 49225, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xb179 (correct), 3383710133:3383710133(0) ack 2634546730 win 5840 <mss 1460,sackOK,timestamp 173447423 824213,nop,wscale 7>
      23:21:36.038847 IP (tos 0x0, ttl 64, id 28093, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.1.2020 > 192.168.0.254.2020: ., cksum 0xebad (correct), ack 3383710134 win 2920 <nop,nop,timestamp 824213 173447423>
      
      and the corresponding netlink events:
      
          [NEW] tcp      6 120 SYN_SENT src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 [UNREPLIED] src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 120 LISTEN src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 60 SYN_RECV src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 [ASSURED]
      
      The RST packet was dropped in the raw table, thus it did not reach
      conntrack.  nfnetlink_conntrack is unpatched so it shows the new SYN_SENT2
      state as the old unused LISTEN.
      
      With TCP simultaneous open support we satisfy REQ-2 in RFC 5382  ;-) .
      
      Additional minor correction in this patch is that in order to catch
      uninitialized reply directions, "td_maxwin == 0" is used instead of
      "td_end == 0" because the former can't be true except in uninitialized
      state while td_end may accidentally be equal to zero in the mid of a
      connection.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      874ab923
    • Patrick McHardy's avatar
      8cc848fa
  2. 27 May, 2009 33 commits