netfilter: nf_conntrack: allow server to become a client in TW handling
When a port that was used to listen for inbound connections gets closed and reused for outgoing connections (like rsh ends up doing for stderr flow), current we may reject the SYN/ACK packet for the new connection because tcp_conntracks states forbirds a port to become a client while there is still a TIME_WAIT entry in there for it. As TCP may expire the TIME_WAIT socket in 60s and conntrack's timeout for it is 120s, there is a ~60s window that the application can end up opening a port that conntrack will end up blocking. This patch fixes this by simply allowing such state transition: if we see a SYN, in TIME_WAIT state, on REPLY direction, move it to sSS. Note that the rest of the code already handles this situation, more specificly in tcp_packet(), first switch clause. Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
7c1c97d54f
commit
e37ad9fd63
|
@ -213,7 +213,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
|
||||||
{
|
{
|
||||||
/* REPLY */
|
/* REPLY */
|
||||||
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
|
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
|
||||||
/*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 },
|
/*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sSS, sIV, sS2 },
|
||||||
/*
|
/*
|
||||||
* sNO -> sIV Never reached.
|
* sNO -> sIV Never reached.
|
||||||
* sSS -> sS2 Simultaneous open
|
* sSS -> sS2 Simultaneous open
|
||||||
|
@ -223,7 +223,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
|
||||||
* sFW -> sIV
|
* sFW -> sIV
|
||||||
* sCW -> sIV
|
* sCW -> sIV
|
||||||
* sLA -> sIV
|
* sLA -> sIV
|
||||||
* sTW -> sIV Reopened connection, but server may not do it.
|
* sTW -> sSS Reopened connection, but server may have switched role
|
||||||
* sCL -> sIV
|
* sCL -> sIV
|
||||||
*/
|
*/
|
||||||
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
|
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
|
||||||
|
|
Loading…
Reference in New Issue