提交 4d3383d0 编写于 作者: D David S. Miller
...@@ -35,6 +35,9 @@ enum tcp_conntrack { ...@@ -35,6 +35,9 @@ enum tcp_conntrack {
/* Has unacknowledged data */ /* Has unacknowledged data */
#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
/* The field td_maxack has been set */
#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
struct nf_ct_tcp_flags { struct nf_ct_tcp_flags {
__u8 flags; __u8 flags;
__u8 mask; __u8 mask;
...@@ -46,6 +49,7 @@ struct ip_ct_tcp_state { ...@@ -46,6 +49,7 @@ struct ip_ct_tcp_state {
u_int32_t td_end; /* max of seq + len */ u_int32_t td_end; /* max of seq + len */
u_int32_t td_maxend; /* max of ack + max(win, 1) */ u_int32_t td_maxend; /* max of ack + max(win, 1) */
u_int32_t td_maxwin; /* max(win) */ u_int32_t td_maxwin; /* max(win) */
u_int32_t td_maxack; /* max of ack */
u_int8_t td_scale; /* window scale factor */ u_int8_t td_scale; /* window scale factor */
u_int8_t flags; /* per direction options */ u_int8_t flags; /* per direction options */
}; };
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/netfilter/nfnetlink_conntrack.h> #include <linux/netfilter/nfnetlink_conntrack.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_l4proto.h> #include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_log.h> #include <net/netfilter/nf_log.h>
static DEFINE_RWLOCK(dccp_lock); static DEFINE_RWLOCK(dccp_lock);
...@@ -553,6 +554,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -553,6 +554,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
ct->proto.dccp.state = new_state; ct->proto.dccp.state = new_state;
write_unlock_bh(&dccp_lock); write_unlock_bh(&dccp_lock);
if (new_state != old_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
dn = dccp_pernet(net); dn = dccp_pernet(net);
nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]); nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
......
...@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct, ...@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
sender->td_end = end; sender->td_end = end;
sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
} }
if (tcph->ack) {
if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
sender->td_maxack = ack;
sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
} else if (after(ack, sender->td_maxack))
sender->td_maxack = ack;
}
/* /*
* Update receiver data. * Update receiver data.
*/ */
...@@ -918,6 +926,16 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -918,6 +926,16 @@ static int tcp_packet(struct nf_conn *ct,
"nf_ct_tcp: invalid state "); "nf_ct_tcp: invalid state ");
return -NF_ACCEPT; return -NF_ACCEPT;
case TCP_CONNTRACK_CLOSE: case TCP_CONNTRACK_CLOSE:
if (index == TCP_RST_SET
&& (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
&& before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
/* Invalid RST */
write_unlock_bh(&tcp_lock);
if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: invalid RST ");
return -NF_ACCEPT;
}
if (index == TCP_RST_SET if (index == TCP_RST_SET
&& ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_SYN_SET) && ct->proto.tcp.last_index == TCP_SYN_SET)
......
...@@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf, ...@@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf,
+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) + nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)); + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
if (in && skb_mac_header_was_set(skb)) {
size += nla_total_size(skb->dev->hard_header_len)
+ nla_total_size(sizeof(u_int16_t)) /* hwtype */
+ nla_total_size(sizeof(u_int16_t)); /* hwlen */
}
spin_lock_bh(&inst->lock); spin_lock_bh(&inst->lock);
if (inst->flags & NFULNL_CFG_F_SEQ) if (inst->flags & NFULNL_CFG_F_SEQ)
......
...@@ -926,7 +926,7 @@ static int dl_seq_show(struct seq_file *s, void *v) ...@@ -926,7 +926,7 @@ static int dl_seq_show(struct seq_file *s, void *v)
if (!hlist_empty(&htable->hash[*bucket])) { if (!hlist_empty(&htable->hash[*bucket])) {
hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node) hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node)
if (dl_seq_real_show(ent, htable->family, s)) if (dl_seq_real_show(ent, htable->family, s))
return 1; return -1;
} }
return 0; return 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册