From patchwork Sat Aug 10 00:21:27 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuchung Cheng X-Patchwork-Id: 266179 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 098E52C00BB for ; Sat, 10 Aug 2013 10:22:00 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758370Ab3HJAV5 (ORCPT ); Fri, 9 Aug 2013 20:21:57 -0400 Received: from mail-yh0-f74.google.com ([209.85.213.74]:52649 "EHLO mail-yh0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758329Ab3HJAV4 (ORCPT ); Fri, 9 Aug 2013 20:21:56 -0400 Received: by mail-yh0-f74.google.com with SMTP id z20so511362yhz.1 for ; Fri, 09 Aug 2013 17:21:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=Pmg41r/tZHPVnhL3TD6rF+ehFFfv6jbRTtmiF3fee6Y=; b=AYm1U1FDEKXm/BHSIMojJp72VBtEHN5vPxqoh30dpFWrNo6Xd2BKAicdgP57jm15uh 9Zw5hdUywX/HyuFXpbeadlHGmNOR16uyu0kQNHFtKnroPs4OQEpuXYA3vkN+fzIIobWI OhGm9V1dh6+4V06mqeNFH/qNwaGHs6KwhwT2+QCeoULh5FlkCG/cdKsEQWL6gnoNcJkU Rg+OBkBCv457u+tpgW0zHV52e5UYv1Ve2ieRS8mJaZtVL6gna5EGn3mrYps5sK/9Hcr1 JrHl++HGnMJ8zGIFCpmHfixLNjAVc2Eh+Gjuc7Ivmi7mbu3wT1YKtbBjDQso751NuBvB Q/Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Pmg41r/tZHPVnhL3TD6rF+ehFFfv6jbRTtmiF3fee6Y=; b=Lw4bijD7cVUVsSuki+XAncH3LFhpl+zVIhHH7TkxxBpGWL0HLbZAXz+KunDsqty4eh mXyi9BO194z5GR5+KEYLdnEIBkPHlBw+YZyeQEI1UL+k4t5dxH7birjZdxnV/LjjG0xI +d6YMQTXJ0wpf56iYH20CuQNU1+wcTCzQHF9LbzV1UNIWslS7jH3uoDhPnNhLz2yjEB1 vWkoN7dgrEFuUnlNkSR8+uP2XAGT/ilN785esTPADoJpMDsRJ30QtMutrrikiJJZtvlK aDEmxgvUzyluRphakW6lj1sHUVjV3o5fS1cAgLhILKzTC1a1g+w2fYq/83zVBHV3KarR 3atw== X-Gm-Message-State: ALoCoQmAdeQrKZll72dQ8F5yNQU1kKhC/zBVWERDvYu4FnIb9FoZ/LCgPBQLD0c7EJ1DGo1+ltRkmrapH1Crfd0NKHTBoz6I2o6/V0Wqp+bDYEwkCvVdw9Ucnf5yXaS4FxUDDWUivvZhmAwnj8g3Uu1CEWKrwj8sLThKBrvOFtSyspEJ7esDjpelbpi4+QmClYplcWR09npFq/u7OJdzdp8PCObFfgkJ7Q== X-Received: by 10.236.129.178 with SMTP id h38mr5965896yhi.12.1376094116035; Fri, 09 Aug 2013 17:21:56 -0700 (PDT) Received: from corp2gmr1-1.hot.corp.google.com (corp2gmr1-1.hot.corp.google.com [172.24.189.92]) by gmr-mx.google.com with ESMTPS id p73si1269934yhh.5.2013.08.09.17.21.56 for (version=TLSv1.1 cipher=AES128-SHA bits=128/128); Fri, 09 Aug 2013 17:21:56 -0700 (PDT) Received: from blast2.mtv.corp.google.com (blast2.mtv.corp.google.com [172.17.132.164]) by corp2gmr1-1.hot.corp.google.com (Postfix) with ESMTP id DAAD131C268; Fri, 9 Aug 2013 17:21:55 -0700 (PDT) Received: by blast2.mtv.corp.google.com (Postfix, from userid 5463) id 78ADC22082B; Fri, 9 Aug 2013 17:21:55 -0700 (PDT) From: Yuchung Cheng To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org, edumazet@google.com, Yuchung Cheng Subject: [PATCH] netfilter: nf_conntrack: fix tcp_in_window for Fast Open Date: Fri, 9 Aug 2013 17:21:27 -0700 Message-Id: <1376094087-17700-1-git-send-email-ycheng@google.com> X-Mailer: git-send-email 1.8.3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik --- net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 4d4d8f1..e0f9a32 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct, const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; __u32 seq, ack, sack, end, win, swin; s16 receiver_offset; - bool res; + bool res, in_recv_win; /* * Get the required data from the packet. @@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct, receiver->td_end, receiver->td_maxend, receiver->td_maxwin, receiver->td_scale); + /* Is the ending sequence in the receive window (if available)? */ + in_recv_win = !receiver->td_maxwin || + after(end, sender->td_end - receiver->td_maxwin - 1); + pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", before(seq, sender->td_maxend + 1), - after(end, sender->td_end - receiver->td_maxwin - 1), + (in_recv_win ? 1 : 0), before(sack, receiver->td_end + 1), after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)); if (before(seq, sender->td_maxend + 1) && - after(end, sender->td_end - receiver->td_maxwin - 1) && + in_recv_win && before(sack, receiver->td_end + 1) && after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) { /* @@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "nf_ct_tcp: %s ", before(seq, sender->td_maxend + 1) ? - after(end, sender->td_end - receiver->td_maxwin - 1) ? + in_recv_win ? before(sack, receiver->td_end + 1) ? after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG" : "ACK is under the lower bound (possible overly delayed ACK)"