[PATCH] Fix broken RST handling in ip_conntrack

From: Martin Josefsson
Date: Sat Jan 01 2005 - 10:39:04 EST

Next message: Andreas Jellinghaus: "Re: initramfs: is it supposed to work?"
Previous message: Christoph Anton Mitterer: "problem with kernel bootparameters when using UDF fs support togetherwith XFS quotas"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Linus, Andrew
(Sending this mail to you since Davem is on vacation)

Here's a patch that fixes a pretty serious bug introduced by a recent
"bugfix". The problem is that RST packets are ignored if they follow an
ACK packet, this means that the timeout of the connection isn't
decreased, so we get lots of old connections lingering around until the
timeout expires, the default timeout for state ESTABLISHED is 5 days.

This needs to go into -bk as soon as possible. The bug is present in
2.6.10 as well.

--- linux-2.6.10-rc3-bk14/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig 2004-12-30 19:48:33.000000000 +0100
+++ linux-2.6.10-rc3-bk14/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-12-30 19:49:46.000000000 +0100
@@ -906,7 +906,8 @@ static int tcp_packet(struct ip_conntrac
if (index == TCP_RST_SET
&& ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
&& conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
- || conntrack->proto.tcp.last_index == TCP_ACK_SET)
+ || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
+ && conntrack->proto.tcp.last_index == TCP_ACK_SET))
&& after(ntohl(th->ack_seq),
conntrack->proto.tcp.last_seq)) {
/* Ignore RST closing down invalid SYN or ACK

--
/Martin

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Andreas Jellinghaus: "Re: initramfs: is it supposed to work?"
Previous message: Christoph Anton Mitterer: "problem with kernel bootparameters when using UDF fs support togetherwith XFS quotas"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]