From patchwork Mon Jul 27 22:53:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 500883 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 9A9CF140310 for ; Tue, 28 Jul 2015 08:53:33 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754578AbbG0Wx3 (ORCPT ); Mon, 27 Jul 2015 18:53:29 -0400 Received: from orbit.nwl.cc ([176.31.251.142]:43509 "EHLO mail.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754401AbbG0Wx2 (ORCPT ); Mon, 27 Jul 2015 18:53:28 -0400 Received: from mail.nwl.cc (orbit [127.0.0.1]) by mail.nwl.cc (Postfix) with ESMTP id DF1E52141A; Tue, 28 Jul 2015 00:53:26 +0200 (CEST) Received: by mail.nwl.cc (Postfix, from userid 1000) id B8A1E2142F; Tue, 28 Jul 2015 00:53:26 +0200 (CEST) From: Phil Sutter To: pablo@netfilter.org Cc: netdev@vger.kernel.org Subject: [PATCH] netfilter: ipt_SYNPROXY: fix sending window update to client Date: Tue, 28 Jul 2015 00:53:26 +0200 Message-Id: <1438037606-5462-1-git-send-email-phil@nwl.cc> X-Mailer: git-send-email 2.1.2 X-Virus-Scanned: ClamAV using ClamSMTP Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Upon receipt of SYNACK from the server, ipt_SYNPROXY first sends back an ACK to finish the server handshake, then calls nf_ct_seqadj_init() to initiate sequence number adjustment of forwarded packets to the client and finally sends a window update to the client to unblock it's TX queue. Since synproxy_send_client_ack() does not set synproxy_send_tcp()'s nfct parameter, no sequence number adjustment happens and the client receives the window update with incorrect sequence number. Depending on client TCP implementation, this leads to a significant delay (until a window probe is being sent). Signed-off-by: Phil Sutter --- net/ipv4/netfilter/ipt_SYNPROXY.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index fe8cc18..95ea633e 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet, synproxy_build_options(nth, opts); - synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); + synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, + niph, nth, tcp_hdr_size); } static bool