diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2008-06-30 12:41:30 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-30 12:41:30 -0700 |
commit | 84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5 (patch) | |
tree | d325c80abe018baac9cd492a76d38b998ae87d4c /lib/ratelimit.c | |
parent | d420895efb259a78dda50f95289571faa6e10e41 (diff) |
netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on
the netfilter mailing list (see the thread "Weird nat/conntrack Problem
with PASV FTP upload"). He provided tcpdump recordings which helped to
find a long lingering bug in conntrack.
In TCP connection tracking, checking the lower bound of valid ACK could
lead to mark valid packets as INVALID because:
- We have got a "higher or equal" inequality, but the test checked
the "higher" condition only; fixed.
- If the packet contains a SACK option, it could occur that the ACK
value was before the left edge of our (S)ACK "window": if a previous
packet from the other party intersected the right edge of the window
of the receiver, we could move forward the window parameters beyond
accepting a valid ack. Therefore in this patch we check the rightmost
SACK edge instead of the ACK value in the lower bound of valid (S)ACK
test.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'lib/ratelimit.c')
0 files changed, 0 insertions, 0 deletions