From patchwork Thu Oct 20 09:00:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 684522 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3t02pY1GtDz9rvt for ; Thu, 20 Oct 2016 20:00:53 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756959AbcJTJAt (ORCPT ); Thu, 20 Oct 2016 05:00:49 -0400 Received: from smtp3.cica.es ([150.214.5.190]:54814 "EHLO smtp.cica.es" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754894AbcJTJAq (ORCPT ); Thu, 20 Oct 2016 05:00:46 -0400 Received: from localhost (unknown [127.0.0.1]) by smtp.cica.es (Postfix) with ESMTP id 5672951F2DA for ; Thu, 20 Oct 2016 09:00:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at cica.es Received: from smtp.cica.es ([127.0.0.1]) by localhost (mail.cica.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOVGAT2VDRJ4 for ; Thu, 20 Oct 2016 11:00:37 +0200 (CEST) Received: from nfdev2.cica.es (nfdev2.cica.es [IPv6:2a00:9ac0:c1ca:31::221]) (Authenticated sender: servers@cica.es) by smtp.cica.es (Postfix) with ESMTP id 8CE8D51F2D7 for ; Thu, 20 Oct 2016 11:00:37 +0200 (CEST) Subject: [RFC nf-next PATCH] netfilter: nf_conntrack_proto_tcp: propagate IP_CT_TCP_FLAG_BE_LIBERAL From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Thu, 20 Oct 2016 11:00:49 +0200 Message-ID: <147695370184.31999.2434286995020619745.stgit@nfdev2.cica.es> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org According to Mathew Heard, the IP_CT_TCP_FLAG_BE_LIBERAL is not being propagated properly while using userspace conntrackd to replicate connections states in a firewall cluster. This change modifies the behaviour of the engine to always be liberal in the reply direction if we were liberal in the original direction as well. More info in the Netfilter bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1087 Suggested-by: Mathew Heard Signed-off-by: Arturo Borrero Gonzalez --- RFC: I don't fully understand this patch. Specifically, I don't understand why this can't be done from userspace, in conntrackd, when creating/updating synced conntracks. We could just set the new/updated conntrack with the flags we want, don't we? Also, I don't fully understand the consecuences of doing this flags change in the middle of tcp_packet(). So, please, review the patch and give us comments. net/netfilter/nf_conntrack_proto_tcp.c | 7 +++++++ 1 file changed, 7 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 69f6877..ed16acf 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -835,6 +835,13 @@ static int tcp_packet(struct nf_conn *ct, new_state = tcp_conntracks[dir][index][old_state]; tuple = &ct->tuplehash[dir].tuple; + /* if we are liberal in one direction, so be it in the other */ + if (ct->proto.tcp.seen[IP_CT_DIR_ORIGINAL].flags & + IP_CT_TCP_FLAG_BE_LIBERAL) { + ct->proto.tcp.seen[IP_CT_DIR_REPLY].flags |= + IP_CT_TCP_FLAG_BE_LIBERAL; + } + switch (new_state) { case TCP_CONNTRACK_SYN_SENT: if (old_state < TCP_CONNTRACK_TIME_WAIT)