From patchwork Tue Apr 20 12:24:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ali Abdallah X-Patchwork-Id: 1468313 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=suse.com header.i=@suse.com header.a=rsa-sha256 header.s=susede1 header.b=Wr+N/IpH; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4FPjY26tTVz9t19 for ; Tue, 20 Apr 2021 22:24:22 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231251AbhDTMYw (ORCPT ); Tue, 20 Apr 2021 08:24:52 -0400 Received: from mx2.suse.de ([195.135.220.15]:38644 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230408AbhDTMYs (ORCPT ); Tue, 20 Apr 2021 08:24:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1618921456; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type; bh=WELNGxuTozzSHlbkJcUKIvXdGke1cdkbr9Kx/sYSU44=; b=Wr+N/IpHXM5or9rLHp7kj4M5UupnIVkraqyTXkpzHuPY9dqQik53r3j181+25mUQlWx9Bj sbyXBBWN1mQmbL/hXJ/GuGV3vfAVkTT0GwBkrXToEKJLNVK2d38oRs9L39DjZE/npbojak E4/RwyuWY+ZLX1j5NSn85ququ+nI0rM= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 6D7C9AF3B for ; Tue, 20 Apr 2021 12:24:16 +0000 (UTC) Date: Tue, 20 Apr 2021 14:24:15 +0200 From: Ali Abdallah To: netfilter-devel@vger.kernel.org Subject: [PATCH] netfilter: conntrack: Reset the max ACK flag on SYN in ignore state Message-ID: <20210420122415.v2jtayiw3n4ds7t7@Fryzen495> MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org In ignore state, we let SYN goes in original, the server might respond with RST/ACK, and that RST packet is erroneously dropped because of the flag IP_CT_TCP_FLAG_MAXACK_SET being already set. Signed-off-by: Ali Abdallah Acked-by: Florian Westphal --- net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index ec23330687a5..02fab7a8ec92 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -963,6 +963,10 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ct->proto.tcp.last_flags = ct->proto.tcp.last_wscale = 0; + /* Reset the max ack flag so in case the server replies + * with RST/ACK it will not be marked as an invalid rst. + */ + ct->proto.tcp.seen[dir].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET; tcp_options(skb, dataoff, th, &seen); if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) { ct->proto.tcp.last_flags |=