1
linux/net/netfilter
Pablo Neira Ayuso c4832c7bbc netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking
Without this patch, if we receive a SYN packet from the client while
the firewall is out-of-sync, we let it go through. Then, if we see
the SYN/ACK reply coming from the server, we destroy the conntrack
entry and drop the packet to trigger a new retransmission. Then,
the retransmision from the client is used to start a new clean
session.

This patch improves the current handling. Basically, if we see an
unexpected SYN packet, we annotate the TCP options. Then, if we
see the reply SYN/ACK, this means that the firewall was indeed
out-of-sync. Therefore, we set a clean new session from the existing
entry based on the annotated values.

This patch adds two new 8-bits fields that fit in a 16-bits gap of
the ip_ct_tcp structure.

This patch is particularly useful for conntrackd since the
asynchronous nature of the state-synchronization allows to have
backup nodes that are not perfect copies of the master. This helps
to improve the recovery under some worst-case scenarios.

I have tested this by creating lots of conntrack entries in wrong
state:

for ((i=1024;i<65535;i++)); do conntrack -I -p tcp -s 192.168.2.101 -d 192.168.2.2 --sport $i --dport 80 -t 800 --state ESTABLISHED -u ASSURED,SEEN_REPLY; done

Then, I make some TCP connections:

$ echo GET / | nc 192.168.2.2 80

The events show the result:

 [UPDATE] tcp      6 60 SYN_RECV src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED]
 [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED]
 [UPDATE] tcp      6 120 FIN_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED]
 [UPDATE] tcp      6 30 LAST_ACK src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED]
 [UPDATE] tcp      6 120 TIME_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED]

and tcpdump shows no retransmissions:

20:47:57.271951 IP 192.168.2.101.33221 > 192.168.2.2.www: S 435402517:435402517(0) win 5840 <mss 1460,sackOK,timestamp 4294961827 0,nop,wscale 6>
20:47:57.273538 IP 192.168.2.2.www > 192.168.2.101.33221: S 3509927945:3509927945(0) ack 435402518 win 5792 <mss 1460,sackOK,timestamp 235681024 4294961827,nop,wscale 4>
20:47:57.273608 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024>
20:47:57.273693 IP 192.168.2.101.33221 > 192.168.2.2.www: P 435402518:435402524(6) ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024>
20:47:57.275492 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402524 win 362 <nop,nop,timestamp 235681024 4294961827>
20:47:57.276492 IP 192.168.2.2.www > 192.168.2.101.33221: P 3509927946:3509928082(136) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827>
20:47:57.276515 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509928082 win 108 <nop,nop,timestamp 4294961828 235681025>
20:47:57.276521 IP 192.168.2.2.www > 192.168.2.101.33221: F 3509928082:3509928082(0) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827>
20:47:57.277369 IP 192.168.2.101.33221 > 192.168.2.2.www: F 435402524:435402524(0) ack 3509928083 win 108 <nop,nop,timestamp 4294961828 235681025>
20:47:57.279491 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402525 win 362 <nop,nop,timestamp 235681025 4294961828>

I also added a rule to log invalid packets, with no occurrences  :-) .

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 10:37:34 +01:00
..
ipvs sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
core.c netfilter: remove unneeded goto 2009-02-18 16:29:08 +01:00
Kconfig Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2009-06-15 03:02:23 -07:00
Makefile netfilter: passive OS fingerprint xtables match 2009-06-08 17:01:51 +02:00
nf_conntrack_acct.c trivial: Fix paramater/parameter typo in dmesg and source comments 2009-06-12 18:01:46 +02:00
nf_conntrack_amanda.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_core.c netfilter: nf_conntrack: avoid additional compare. 2009-11-05 14:51:31 +01:00
nf_conntrack_ecache.c netfilter: conntrack: optional reliable conntrack event delivery 2009-06-13 12:30:52 +02:00
nf_conntrack_expect.c nf_conntrack: Use rcu_barrier() 2009-06-25 16:32:52 +02:00
nf_conntrack_extend.c nf_conntrack: Use rcu_barrier() 2009-06-25 16:32:52 +02:00
nf_conntrack_ftp.c netfilter: conntrack: simplify event caching system 2009-06-02 20:08:46 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: move helper destruction to nf_ct_helper_destroy() 2009-06-13 12:28:22 +02:00
nf_conntrack_irc.c netfilter: fix endian bug in conntrack printks 2009-03-28 23:55:57 -07:00
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c net: skb->rtable accessor 2009-06-03 02:51:02 -07:00
nf_conntrack_netlink.c netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
nf_conntrack_pptp.c Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-03-26 15:23:24 -07:00
nf_conntrack_proto_dccp.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-06-11 16:00:49 +02:00
nf_conntrack_proto_generic.c netfilter: change generic l4 protocol number 2009-02-18 16:28:35 +01:00
nf_conntrack_proto_gre.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-06-11 16:00:49 +02:00
nf_conntrack_proto_sctp.c netfilter: nf_conntrack: use per-conntrack locks for protocol data 2009-06-10 14:32:47 +02:00
nf_conntrack_proto_tcp.c netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking 2009-11-23 10:37:34 +01:00
nf_conntrack_proto_udp.c netfilter: nf_conntrack: calculate per-protocol nlattr size 2009-03-25 21:53:39 +01:00
nf_conntrack_proto_udplite.c netfilter: nf_ct_dccp/udplite: fix protocol registration error 2009-04-24 15:37:44 +02:00
nf_conntrack_proto.c netfilter: ctnetlink: add callbacks to the per-proto nlattrs 2009-03-25 18:24:48 +01:00
nf_conntrack_sane.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_sip.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_standalone.c netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
nf_conntrack_tftp.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_internals.h
nf_log.c sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
nf_queue.c netfilter: queue: use NFPROTO_ for queue callsites 2009-05-08 10:30:46 +02:00
nf_sockopt.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
nf_tproxy_core.c net: Partially allow skb destructors to be used on receive path 2009-02-04 16:55:27 -08:00
nfnetlink_log.c netfilter: remove unneccessary checks from netlink notifiers 2009-11-06 17:04:00 +01:00
nfnetlink_queue.c netfilter: remove unneccessary checks from netlink notifiers 2009-11-06 17:04:00 +01:00
nfnetlink.c netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
x_tables.c mm: replace various uses of num_physpages by totalram_pages 2009-09-22 07:17:38 -07:00
xt_CLASSIFY.c
xt_cluster.c netfilter: fix some sparse endianess warnings 2009-06-22 14:15:02 +02:00
xt_comment.c
xt_connbytes.c
xt_connlimit.c netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
xt_connmark.c netfilter: xtables: remove xt_connmark v0 2009-08-10 12:25:12 +02:00
xt_CONNMARK.c netfilter: xtables: remove xt_CONNMARK v0 2009-08-10 12:25:11 +02:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: xtables: remove xt_conntrack v0 2009-08-10 13:09:44 +02:00
xt_dccp.c nf/dccp: merge errorpaths 2008-12-14 23:19:02 -08:00
xt_dscp.c netfilter: xtables: remove xt_TOS v0 2009-08-10 12:25:11 +02:00
xt_DSCP.c netfilter: xtables: remove xt_TOS v0 2009-08-10 12:25:11 +02:00
xt_esp.c
xt_hashlimit.c mm: replace various uses of num_physpages by totalram_pages 2009-09-22 07:17:38 -07:00
xt_helper.c
xt_hl.c netfilter: Combine ipt_ttl and ip6t_hl source 2009-02-18 18:39:31 +01:00
xt_HL.c netfilter: Combine ipt_TTL and ip6t_HL source 2009-02-18 18:38:40 +01:00
xt_iprange.c netfilter: xtables: remove xt_iprange v0 2009-08-10 13:09:44 +02:00
xt_LED.c netfilter: x_tables: add LED trigger target 2009-02-20 10:55:14 +01:00
xt_length.c
xt_limit.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_mac.c
xt_mark.c netfilter: xtables: remove xt_mark v0 2009-08-10 13:09:45 +02:00
xt_MARK.c netfilter: xtables: remove xt_MARK v0, v1 2009-08-10 12:25:12 +02:00
xt_multiport.c
xt_NFLOG.c netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. 2008-11-04 14:21:08 +01:00
xt_NFQUEUE.c netfilter: fix some sparse endianess warnings 2009-06-22 14:15:02 +02:00
xt_NOTRACK.c
xt_osf.c netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
xt_owner.c netfilter: xtables: remove xt_owner v0 2009-08-10 13:32:30 +02:00
xt_physdev.c netfilter: factorize ifname_compare() 2009-03-25 17:31:52 +01:00
xt_pkttype.c
xt_policy.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_quota.c netfilter: xt_quota: fix wrong return value (error case) 2009-08-23 19:09:23 -07:00
xt_rateest.c netfilter: xt_rateest: fix comparison with self 2009-06-22 14:17:12 +02:00
xt_RATEEST.c net: restore gnet_stats_basic to previous definition 2009-08-17 21:33:49 -07:00
xt_realm.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_recent.c netfilter: xt_recent: fix stack overread in compat code 2009-04-24 17:05:21 +02:00
xt_sctp.c netfilter: xt_sctp: sctp chunk mapping doesn't work 2009-02-09 14:34:56 -08:00
xt_SECMARK.c
xt_socket.c netfilter: xt_socket: make module available for INPUT chain 2009-10-29 15:35:10 +01:00
xt_state.c
xt_statistic.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_time.c netfilter 08/09: xt_time: print timezone for user information 2009-01-12 21:18:36 -08:00
xt_TPROXY.c
xt_TRACE.c
xt_u32.c