From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: kadlec@netfilter.org, Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next 0/3] netfilter: conntrack: ignore overly delayed tcp packets
Date: Wed, 20 Jul 2022 19:52:25 +0200 [thread overview]
Message-ID: <20220720175228.17880-1-fw@strlen.de> (raw)
Consider following ruleset:
... ct state new accept
... ct state invalid drop
Normally a tcp receiver will reply with an ack once it receives
a delayed packet. Example:
+0.0001 < P. 1:1461(1460) ack 1 win 257
+.0 > . 1:1(0) ack 1461 win 65535
+0.0001 < P. 1461:2921(1460) ack 1 win 257
[..]
+0.0001 < P. 65701:67161(1460) ack 1 win 257
+.0 > . 1:1(0) ack 67161 win 65535 // all data received
// delayed packet, already acked
+0.0001 < P. 1:1461(1460) ack 1 win 257
// nf_ct_proto_6: SEQ is under the lower bound (already ACKed data retransmitted) IN=.. SEQ=1 ACK=4162510439 WINDOW=257 ACK PSHR
+.0 > . 1:1(0) ack 67161 win 65535
If the delayed packet is not dropped, the receiver can
immediately send another ack, but this doesn't happen if
INVALID packets are dropped by the ruleset (which is a common thing to do).
This changes conntrack to treat such packets as valid, with the
caveat that they will not extend the tcp timeout or cause state
changes.
Ideally we could augment state matching so that this decision
is pushe to the ruleset but so far I don't see how this could be done
with the limited space we have in sk_buff (except for yet another skb
extension, but that appears to be too much for such a narrow use case).
Florian Westphal (3):
netfilter: conntrack: prepare tcp_in_window for ternary return value
netfilter: conntrack: ignore overly delayed tcp packets
netfilter: conntrack: remove unneeded indent level
net/netfilter/nf_conntrack_proto_tcp.c | 208 ++++++++++++++-----------
1 file changed, 116 insertions(+), 92 deletions(-)
--
2.35.1
next reply other threads:[~2022-07-20 17:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-20 17:52 Florian Westphal [this message]
2022-07-20 17:52 ` [PATCH nf-next 1/3] netfilter: conntrack: prepare tcp_in_window for ternary return value Florian Westphal
2022-07-20 17:52 ` [PATCH nf-next 2/3] netfilter: conntrack: ignore overly delayed tcp packets Florian Westphal
2022-07-20 17:52 ` [PATCH nf-next 3/3] netfilter: conntrack: remove unneeded indent level Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220720175228.17880-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.