[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220407102657.GB16047@breakpoint.cc>
Date: Thu, 7 Apr 2022 12:26:57 +0200
From: Florian Westphal <fw@...len.de>
To: Jozsef Kadlecsik <kadlec@...filter.org>
Cc: Florian Westphal <fw@...len.de>,
Neal Cardwell <ncardwell@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Jaco Kroon <jaco@....co.za>, netfilter-devel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP
connections
Jozsef Kadlecsik <kadlec@...filter.org> wrote:
> I'd merge the two conditions so that it'd cover both original condition
> branches:
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 8ec55cd72572..87375ce2f995 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -556,33 +556,26 @@ static bool tcp_in_window(struct nf_conn *ct,
> }
>
> }
> - } else if (((state->state == TCP_CONNTRACK_SYN_SENT
> - && dir == IP_CT_DIR_ORIGINAL)
> - || (state->state == TCP_CONNTRACK_SYN_RECV
> - && dir == IP_CT_DIR_REPLY))
> - && after(end, sender->td_end)) {
> + } else if (tcph->syn &&
> + ((after(end, sender->td_end) &&
> + (state->state == TCP_CONNTRACK_SYN_SENT ||
> + state->state == TCP_CONNTRACK_SYN_RECV)) ||
> + (dir == IP_CT_DIR_REPLY &&
> + state->state == TCP_CONNTRACK_SYN_SENT))) {
Thats what I did as well, I merged the two branches but I made the
2nd clause stricter to also consider the after() test; it would no
longer re-init for syn-acks when sequence did not advance.
Then, dir == IP_CT_DIR_REPLY && state == SYN_SENT is already covered
by earlier test and can be elided.
I'm fine with your version though, will you submit a patch?
Powered by blists - more mailing lists