c4832c7bbc
Without this patch, if we receive a SYN packet from the client while the firewall is out-of-sync, we let it go through. Then, if we see the SYN/ACK reply coming from the server, we destroy the conntrack entry and drop the packet to trigger a new retransmission. Then, the retransmision from the client is used to start a new clean session. This patch improves the current handling. Basically, if we see an unexpected SYN packet, we annotate the TCP options. Then, if we see the reply SYN/ACK, this means that the firewall was indeed out-of-sync. Therefore, we set a clean new session from the existing entry based on the annotated values. This patch adds two new 8-bits fields that fit in a 16-bits gap of the ip_ct_tcp structure. This patch is particularly useful for conntrackd since the asynchronous nature of the state-synchronization allows to have backup nodes that are not perfect copies of the master. This helps to improve the recovery under some worst-case scenarios. I have tested this by creating lots of conntrack entries in wrong state: for ((i=1024;i<65535;i++)); do conntrack -I -p tcp -s 192.168.2.101 -d 192.168.2.2 --sport $i --dport 80 -t 800 --state ESTABLISHED -u ASSURED,SEEN_REPLY; done Then, I make some TCP connections: $ echo GET / | nc 192.168.2.2 80 The events show the result: [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 120 FIN_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 30 LAST_ACK src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 120 TIME_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] and tcpdump shows no retransmissions: 20:47:57.271951 IP 192.168.2.101.33221 > 192.168.2.2.www: S 435402517:435402517(0) win 5840 <mss 1460,sackOK,timestamp 4294961827 0,nop,wscale 6> 20:47:57.273538 IP 192.168.2.2.www > 192.168.2.101.33221: S 3509927945:3509927945(0) ack 435402518 win 5792 <mss 1460,sackOK,timestamp 235681024 4294961827,nop,wscale 4> 20:47:57.273608 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024> 20:47:57.273693 IP 192.168.2.101.33221 > 192.168.2.2.www: P 435402518:435402524(6) ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024> 20:47:57.275492 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402524 win 362 <nop,nop,timestamp 235681024 4294961827> 20:47:57.276492 IP 192.168.2.2.www > 192.168.2.101.33221: P 3509927946:3509928082(136) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827> 20:47:57.276515 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509928082 win 108 <nop,nop,timestamp 4294961828 235681025> 20:47:57.276521 IP 192.168.2.2.www > 192.168.2.101.33221: F 3509928082:3509928082(0) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827> 20:47:57.277369 IP 192.168.2.101.33221 > 192.168.2.2.www: F 435402524:435402524(0) ack 3509928083 win 108 <nop,nop,timestamp 4294961828 235681025> 20:47:57.279491 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402525 win 362 <nop,nop,timestamp 235681025 4294961828> I also added a rule to log invalid packets, with no occurrences :-) . Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> |
||
---|---|---|
.. | ||
ipvs | ||
core.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_acct.c | ||
nf_conntrack_amanda.c | ||
nf_conntrack_core.c | ||
nf_conntrack_ecache.c | ||
nf_conntrack_expect.c | ||
nf_conntrack_extend.c | ||
nf_conntrack_ftp.c | ||
nf_conntrack_h323_asn1.c | ||
nf_conntrack_h323_main.c | ||
nf_conntrack_h323_types.c | ||
nf_conntrack_helper.c | ||
nf_conntrack_irc.c | ||
nf_conntrack_l3proto_generic.c | ||
nf_conntrack_netbios_ns.c | ||
nf_conntrack_netlink.c | ||
nf_conntrack_pptp.c | ||
nf_conntrack_proto_dccp.c | ||
nf_conntrack_proto_generic.c | ||
nf_conntrack_proto_gre.c | ||
nf_conntrack_proto_sctp.c | ||
nf_conntrack_proto_tcp.c | ||
nf_conntrack_proto_udp.c | ||
nf_conntrack_proto_udplite.c | ||
nf_conntrack_proto.c | ||
nf_conntrack_sane.c | ||
nf_conntrack_sip.c | ||
nf_conntrack_standalone.c | ||
nf_conntrack_tftp.c | ||
nf_internals.h | ||
nf_log.c | ||
nf_queue.c | ||
nf_sockopt.c | ||
nf_tproxy_core.c | ||
nfnetlink_log.c | ||
nfnetlink_queue.c | ||
nfnetlink.c | ||
x_tables.c | ||
xt_CLASSIFY.c | ||
xt_cluster.c | ||
xt_comment.c | ||
xt_connbytes.c | ||
xt_connlimit.c | ||
xt_connmark.c | ||
xt_CONNMARK.c | ||
xt_CONNSECMARK.c | ||
xt_conntrack.c | ||
xt_dccp.c | ||
xt_dscp.c | ||
xt_DSCP.c | ||
xt_esp.c | ||
xt_hashlimit.c | ||
xt_helper.c | ||
xt_hl.c | ||
xt_HL.c | ||
xt_iprange.c | ||
xt_LED.c | ||
xt_length.c | ||
xt_limit.c | ||
xt_mac.c | ||
xt_mark.c | ||
xt_MARK.c | ||
xt_multiport.c | ||
xt_NFLOG.c | ||
xt_NFQUEUE.c | ||
xt_NOTRACK.c | ||
xt_osf.c | ||
xt_owner.c | ||
xt_physdev.c | ||
xt_pkttype.c | ||
xt_policy.c | ||
xt_quota.c | ||
xt_rateest.c | ||
xt_RATEEST.c | ||
xt_realm.c | ||
xt_recent.c | ||
xt_sctp.c | ||
xt_SECMARK.c | ||
xt_socket.c | ||
xt_state.c | ||
xt_statistic.c | ||
xt_string.c | ||
xt_tcpmss.c | ||
xt_TCPMSS.c | ||
xt_TCPOPTSTRIP.c | ||
xt_tcpudp.c | ||
xt_time.c | ||
xt_TPROXY.c | ||
xt_TRACE.c | ||
xt_u32.c |