1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>:
9 * - Real stateful connection tracking
10 * - Modified state transitions table
11 * - Window scaling support added
12 * - SACK support added
15 * - State table bugfixes
16 * - More robust state changes
17 * - Tuning timer parameters
22 #include <linux/config.h>
23 #include <linux/types.h>
24 #include <linux/sched.h>
25 #include <linux/timer.h>
26 #include <linux/netfilter.h>
27 #include <linux/module.h>
30 #include <linux/tcp.h>
31 #include <linux/spinlock.h>
35 #include <linux/netfilter.h>
36 #include <linux/netfilter_ipv4.h>
37 #include <linux/netfilter_ipv4/ip_conntrack.h>
38 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
39 #include <linux/netfilter_ipv4/lockhelp.h>
45 #define DEBUGP(format, args...)
48 /* Protects conntrack->proto.tcp */
49 static DECLARE_RWLOCK(tcp_lock);
51 /* "Be conservative in what you do,
52 be liberal in what you accept from others."
53 If it's non-zero, we mark only out of window RST segments as INVALID. */
54 int ip_ct_tcp_be_liberal = 0;
56 /* When connection is picked up from the middle, how many packets are required
57 to pass in each direction when we assume we are in sync - if any side uses
58 window scaling, we lost the game.
59 If it is set to zero, we disable picking up already established
61 int ip_ct_tcp_loose = 3;
63 /* Max number of the retransmitted packets without receiving an (acceptable)
64 ACK from the destination. If this number is reached, a shorter timer
66 int ip_ct_tcp_max_retrans = 3;
68 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
69 closely. They're more complex. --RR */
71 static const char *tcp_conntrack_names[] = {
85 #define MINS * 60 SECS
86 #define HOURS * 60 MINS
87 #define DAYS * 24 HOURS
89 unsigned long ip_ct_tcp_timeout_syn_sent = 2 MINS;
90 unsigned long ip_ct_tcp_timeout_syn_recv = 60 SECS;
92 unsigned long ip_ct_tcp_timeout_established = 5U DAYS;
94 unsigned long ip_ct_tcp_timeout_established = 2U DAYS;
96 unsigned long ip_ct_tcp_timeout_fin_wait = 2 MINS;
97 unsigned long ip_ct_tcp_timeout_close_wait = 60 SECS;
98 unsigned long ip_ct_tcp_timeout_last_ack = 30 SECS;
99 unsigned long ip_ct_tcp_timeout_time_wait = 2 MINS;
100 unsigned long ip_ct_tcp_timeout_close = 10 SECS;
102 /* RFC1122 says the R2 limit should be at least 100 seconds.
103 Linux uses 15 packets as limit, which corresponds
104 to ~13-30min depending on RTO. */
105 unsigned long ip_ct_tcp_timeout_max_retrans = 5 MINS;
107 static unsigned long * tcp_timeouts[]
108 = { NULL, /* TCP_CONNTRACK_NONE */
109 &ip_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */
110 &ip_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */
111 &ip_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */
112 &ip_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */
113 &ip_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */
114 &ip_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */
115 &ip_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */
116 &ip_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */
117 NULL, /* TCP_CONNTRACK_LISTEN */
120 #define sNO TCP_CONNTRACK_NONE
121 #define sSS TCP_CONNTRACK_SYN_SENT
122 #define sSR TCP_CONNTRACK_SYN_RECV
123 #define sES TCP_CONNTRACK_ESTABLISHED
124 #define sFW TCP_CONNTRACK_FIN_WAIT
125 #define sCW TCP_CONNTRACK_CLOSE_WAIT
126 #define sLA TCP_CONNTRACK_LAST_ACK
127 #define sTW TCP_CONNTRACK_TIME_WAIT
128 #define sCL TCP_CONNTRACK_CLOSE
129 #define sLI TCP_CONNTRACK_LISTEN
130 #define sIV TCP_CONNTRACK_MAX
131 #define sIG TCP_CONNTRACK_IGNORE
133 /* What TCP flags are set from RST/SYN/FIN/ACK. */
144 * The TCP state transition table needs a few words...
146 * We are the man in the middle. All the packets go through us
147 * but might get lost in transit to the destination.
148 * It is assumed that the destinations can't receive segments
151 * The checked segment is in window, but our windows are *not*
152 * equivalent with the ones of the sender/receiver. We always
153 * try to guess the state of the current sender.
155 * The meaning of the states are:
157 * NONE: initial state
158 * SYN_SENT: SYN-only packet seen
159 * SYN_RECV: SYN-ACK packet seen
160 * ESTABLISHED: ACK packet seen
161 * FIN_WAIT: FIN packet seen
162 * CLOSE_WAIT: ACK seen (after FIN)
163 * LAST_ACK: FIN seen (after FIN)
164 * TIME_WAIT: last ACK seen
165 * CLOSE: closed connection
167 * LISTEN state is not used.
169 * Packets marked as IGNORED (sIG):
170 * if they may be either invalid or valid
171 * and the receiver may send back a connection
172 * closing RST or a SYN/ACK.
174 * Packets marked as INVALID (sIV):
175 * if they are invalid
176 * or we do not support the request (simultaneous open)
178 static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
181 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
182 /*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sIV },
184 * sNO -> sSS Initialize a new connection
185 * sSS -> sSS Retransmitted SYN
186 * sSR -> sIG Late retransmitted SYN?
187 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
188 * are errors. Receiver will reply with RST
189 * and close the connection.
190 * Or we are not in sync and hold a dead connection.
194 * sTW -> sSS Reopened connection (RFC 1122).
197 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
198 /*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
200 * A SYN/ACK from the client is always invalid:
201 * - either it tries to set up a simultaneous open, which is
203 * - or the firewall has just been inserted between the two hosts
204 * during the session set-up. The SYN will be retransmitted
205 * by the true client (or it'll time out).
207 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
208 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
210 * sNO -> sIV Too late and no reason to do anything...
211 * sSS -> sIV Client migth not send FIN in this state:
212 * we enforce waiting for a SYN/ACK reply first.
213 * sSR -> sFW Close started.
215 * sFW -> sLA FIN seen in both directions, waiting for
217 * Migth be a retransmitted FIN as well...
219 * sLA -> sLA Retransmitted FIN. Remain in the same state.
223 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
224 /*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
226 * sNO -> sES Assumed.
227 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
228 * sSR -> sES Established state is reached.
230 * sFW -> sCW Normal close request answered by ACK.
232 * sLA -> sTW Last ACK detected.
233 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
236 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
237 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
238 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
242 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
243 /*syn*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
245 * sNO -> sIV Never reached.
246 * sSS -> sIV Simultaneous open, not supported
247 * sSR -> sIV Simultaneous open, not supported.
248 * sES -> sIV Server may not initiate a connection.
252 * sTW -> sIV Reopened connection, but server may not do it.
255 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
256 /*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIV },
258 * sSS -> sSR Standard open.
259 * sSR -> sSR Retransmitted SYN/ACK.
260 * sES -> sIG Late retransmitted SYN/ACK?
267 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
268 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
270 * sSS -> sIV Server might not send FIN in this state.
271 * sSR -> sFW Close started.
273 * sFW -> sLA FIN seen in both directions.
275 * sLA -> sLA Retransmitted FIN.
279 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
280 /*ack*/ { sIV, sIG, sIV, sES, sCW, sCW, sTW, sTW, sCL, sIV },
282 * sSS -> sIG Might be a half-open connection.
283 * sSR -> sIV Simultaneous open.
285 * sFW -> sCW Normal close request answered by ACK.
287 * sLA -> sTW Last ACK detected.
288 * sTW -> sTW Retransmitted last ACK.
291 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
292 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
293 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
297 static int tcp_pkt_to_tuple(const struct sk_buff *skb,
298 unsigned int dataoff,
299 struct ip_conntrack_tuple *tuple)
301 struct tcphdr _hdr, *hp;
303 /* Actually only need first 8 bytes. */
304 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
308 tuple->src.u.tcp.port = hp->source;
309 tuple->dst.u.tcp.port = hp->dest;
314 static int tcp_invert_tuple(struct ip_conntrack_tuple *tuple,
315 const struct ip_conntrack_tuple *orig)
317 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
318 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
322 /* Print out the per-protocol part of the tuple. */
323 static int tcp_print_tuple(struct seq_file *s,
324 const struct ip_conntrack_tuple *tuple)
326 return seq_printf(s, "sport=%hu dport=%hu ",
327 ntohs(tuple->src.u.tcp.port),
328 ntohs(tuple->dst.u.tcp.port));
331 /* Print out the private part of the conntrack. */
332 static int tcp_print_conntrack(struct seq_file *s,
333 const struct ip_conntrack *conntrack)
335 enum tcp_conntrack state;
337 READ_LOCK(&tcp_lock);
338 state = conntrack->proto.tcp.state;
339 READ_UNLOCK(&tcp_lock);
341 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
344 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
346 if (tcph->rst) return TCP_RST_SET;
347 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
348 else if (tcph->fin) return TCP_FIN_SET;
349 else if (tcph->ack) return TCP_ACK_SET;
350 else return TCP_NONE_SET;
353 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
354 in IP Filter' by Guido van Rooij.
356 http://www.nluug.nl/events/sane2000/papers.html
357 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
359 The boundaries and the conditions are slightly changed:
361 td_maxend = max(sack + max(win,1)) seen in reply packets
362 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
363 td_end = max(seq + len) seen in sent packets
365 I. Upper bound for valid data: seq + len <= sender.td_maxend
366 II. Lower bound for valid data: seq >= sender.td_end - receiver.td_maxwin
367 III. Upper bound for valid ack: sack <= receiver.td_end
368 IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW
370 where sack is the highest right edge of sack block found in the packet.
372 The upper bound limit for a valid ack is not ignored -
373 we doesn't have to deal with fragments.
376 static inline __u32 segment_seq_plus_len(__u32 seq,
381 return (seq + len - (iph->ihl + tcph->doff)*4
382 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
385 /* Fixme: what about big packets? */
386 #define MAXACKWINCONST 66000
387 #define MAXACKWINDOW(sender) \
388 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
392 * Simplified tcp_parse_options routine from tcp_input.c
394 static void tcp_options(const struct sk_buff *skb,
397 struct ip_ct_tcp_state *state)
399 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
401 int length = (tcph->doff*4) - sizeof(struct tcphdr);
406 ptr = skb_header_pointer(skb,
407 (iph->ihl * 4) + sizeof(struct tcphdr),
421 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
426 if (opsize < 2) /* "silly options" */
429 break; /* don't parse partial options */
431 if (opcode == TCPOPT_SACK_PERM
432 && opsize == TCPOLEN_SACK_PERM)
433 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
434 else if (opcode == TCPOPT_WINDOW
435 && opsize == TCPOLEN_WINDOW) {
436 state->td_scale = *(u_int8_t *)ptr;
438 if (state->td_scale > 14) {
440 state->td_scale = 14;
443 IP_CT_TCP_FLAG_WINDOW_SCALE;
451 static void tcp_sack(struct tcphdr *tcph, __u32 *sack)
455 int length = (tcph->doff*4) - sizeof(struct tcphdr);
457 /* Fast path for timestamp-only option */
458 if (length == TCPOLEN_TSTAMP_ALIGNED*4
459 && *(__u32 *)(tcph + 1) ==
460 __constant_ntohl((TCPOPT_NOP << 24)
462 | (TCPOPT_TIMESTAMP << 8)
463 | TCPOLEN_TIMESTAMP))
466 ptr = (unsigned char *)(tcph + 1);
474 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
479 if (opsize < 2) /* "silly options" */
482 break; /* don't parse partial options */
484 if (opcode == TCPOPT_SACK
485 && opsize >= (TCPOLEN_SACK_BASE
486 + TCPOLEN_SACK_PERBLOCK)
487 && !((opsize - TCPOLEN_SACK_BASE)
488 % TCPOLEN_SACK_PERBLOCK)) {
490 i < (opsize - TCPOLEN_SACK_BASE);
491 i += TCPOLEN_SACK_PERBLOCK) {
492 tmp = ntohl(*((u_int32_t *)(ptr+i)+1));
494 if (after(tmp, *sack))
505 static int tcp_in_window(struct ip_ct_tcp *state,
506 enum ip_conntrack_dir dir,
508 const struct sk_buff *skb,
512 struct ip_ct_tcp_state *sender = &state->seen[dir];
513 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
514 __u32 seq, ack, sack, end, win, swin;
518 * Get the required data from the packet.
520 seq = ntohl(tcph->seq);
521 ack = sack = ntohl(tcph->ack_seq);
522 win = ntohs(tcph->window);
523 end = segment_seq_plus_len(seq, skb->len, iph, tcph);
525 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
526 tcp_sack(tcph, &sack);
528 DEBUGP("tcp_in_window: START\n");
529 DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
530 "seq=%u ack=%u sack=%u win=%u end=%u\n",
531 NIPQUAD(iph->saddr), ntohs(tcph->source),
532 NIPQUAD(iph->daddr), ntohs(tcph->dest),
533 seq, ack, sack, win, end);
534 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
535 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
536 sender->td_end, sender->td_maxend, sender->td_maxwin,
538 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
541 if (sender->td_end == 0) {
543 * Initialize sender data.
545 if (tcph->syn && tcph->ack) {
547 * Outgoing SYN-ACK in reply to a SYN.
550 sender->td_maxend = end;
551 sender->td_maxwin = (win == 0 ? 1 : win);
553 tcp_options(skb, iph, tcph, sender);
556 * Both sides must send the Window Scale option
557 * to enable window scaling in either direction.
559 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
560 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
562 receiver->td_scale = 0;
565 * We are in the middle of a connection,
566 * its history is lost for us.
567 * Let's try to use the data from the packet.
569 sender->td_end = end;
570 sender->td_maxwin = (win == 0 ? 1 : win);
571 sender->td_maxend = end + sender->td_maxwin;
573 } else if (((state->state == TCP_CONNTRACK_SYN_SENT
574 && dir == IP_CT_DIR_ORIGINAL)
575 || (state->state == TCP_CONNTRACK_SYN_RECV
576 && dir == IP_CT_DIR_REPLY))
577 && after(end, sender->td_end)) {
579 * RFC 793: "if a TCP is reinitialized ... then it need
580 * not wait at all; it must only be sure to use sequence
581 * numbers larger than those recently used."
584 sender->td_maxend = end;
585 sender->td_maxwin = (win == 0 ? 1 : win);
587 tcp_options(skb, iph, tcph, sender);
592 * If there is no ACK, just pretend it was set and OK.
594 ack = sack = receiver->td_end;
595 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
596 (TCP_FLAG_ACK|TCP_FLAG_RST))
599 * Broken TCP stacks, that set ACK in RST packets as well
600 * with zero ack value.
602 ack = sack = receiver->td_end;
607 * Packets contains no data: we assume it is valid
608 * and check the ack value only.
610 seq = end = sender->td_end;
612 DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
613 "seq=%u ack=%u sack =%u win=%u end=%u trim=%u\n",
614 NIPQUAD(iph->saddr), ntohs(tcph->source),
615 NIPQUAD(iph->daddr), ntohs(tcph->dest),
616 seq, ack, sack, win, end,
617 after(end, sender->td_maxend) && before(seq, sender->td_maxend)
618 ? sender->td_maxend : end);
619 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
620 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
621 sender->td_end, sender->td_maxend, sender->td_maxwin,
623 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
626 /* Ignore data over the right edge of the receiver's window. */
627 if (after(end, sender->td_maxend) &&
628 before(seq, sender->td_maxend)) {
629 end = sender->td_maxend;
630 if (*index == TCP_FIN_SET)
631 *index = TCP_ACK_SET;
633 DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
634 before(end, sender->td_maxend + 1)
635 || before(seq, sender->td_maxend + 1),
636 after(seq, sender->td_end - receiver->td_maxwin - 1)
637 || after(end, sender->td_end - receiver->td_maxwin - 1),
638 before(sack, receiver->td_end + 1),
639 after(ack, receiver->td_end - MAXACKWINDOW(sender)));
641 if (sender->loose || receiver->loose ||
642 (before(end, sender->td_maxend + 1) &&
643 after(seq, sender->td_end - receiver->td_maxwin - 1) &&
644 before(sack, receiver->td_end + 1) &&
645 after(ack, receiver->td_end - MAXACKWINDOW(sender)))) {
647 * Take into account window scaling (RFC 1323).
650 win <<= sender->td_scale;
653 * Update sender data.
655 swin = win + (sack - ack);
656 if (sender->td_maxwin < swin)
657 sender->td_maxwin = swin;
658 if (after(end, sender->td_end))
659 sender->td_end = end;
660 if (after(sack + win, receiver->td_maxend - 1)) {
661 receiver->td_maxend = sack + win;
663 receiver->td_maxend++;
667 * Check retransmissions.
669 if (*index == TCP_ACK_SET) {
670 if (state->last_dir == dir
671 && state->last_seq == seq
672 && state->last_ack == ack
673 && state->last_end == end)
676 state->last_dir = dir;
677 state->last_seq = seq;
678 state->last_ack = ack;
679 state->last_end = end;
684 * Close the window of disabled window tracking :-)
691 if (LOG_INVALID(IPPROTO_TCP))
692 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
694 before(end, sender->td_maxend + 1) ?
695 after(seq, sender->td_end - receiver->td_maxwin - 1) ?
696 before(sack, receiver->td_end + 1) ?
697 after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
698 : "ACK is under the lower bound (possibly overly delayed ACK)"
699 : "ACK is over the upper bound (ACKed data has never seen yet)"
700 : "SEQ is under the lower bound (retransmitted already ACKed data)"
701 : "SEQ is over the upper bound (over the window of the receiver)");
703 res = ip_ct_tcp_be_liberal && !tcph->rst;
706 DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
707 "receiver end=%u maxend=%u maxwin=%u\n",
708 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
709 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
714 #ifdef CONFIG_IP_NF_NAT_NEEDED
715 /* Update sender->td_end after NAT successfully mangled the packet */
716 void ip_conntrack_tcp_update(struct sk_buff *skb,
717 struct ip_conntrack *conntrack,
718 enum ip_conntrack_dir dir)
720 struct iphdr *iph = skb->nh.iph;
721 struct tcphdr *tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
724 struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[dir];
725 struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[!dir];
728 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, iph, tcph);
730 WRITE_LOCK(&tcp_lock);
732 * We have to worry for the ack in the reply packet only...
734 if (after(end, conntrack->proto.tcp.seen[dir].td_end))
735 conntrack->proto.tcp.seen[dir].td_end = end;
736 conntrack->proto.tcp.last_end = end;
737 WRITE_UNLOCK(&tcp_lock);
738 DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
739 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
740 sender->td_end, sender->td_maxend, sender->td_maxwin,
742 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
757 /* table of valid flag combinations - ECE and CWR are always valid */
758 static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
764 [TH_RST|TH_ACK|TH_PUSH] = 1,
767 [TH_ACK|TH_PUSH] = 1,
769 [TH_ACK|TH_URG|TH_PUSH] = 1,
770 [TH_FIN|TH_ACK|TH_PUSH] = 1,
771 [TH_FIN|TH_ACK|TH_URG] = 1,
772 [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
775 /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
776 static int tcp_error(struct sk_buff *skb,
777 enum ip_conntrack_info *ctinfo,
778 unsigned int hooknum)
780 struct iphdr *iph = skb->nh.iph;
781 struct tcphdr _tcph, *th;
782 unsigned int tcplen = skb->len - iph->ihl * 4;
785 /* Smaller that minimal TCP header? */
786 th = skb_header_pointer(skb, iph->ihl * 4,
787 sizeof(_tcph), &_tcph);
789 if (LOG_INVALID(IPPROTO_TCP))
790 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
791 "ip_ct_tcp: short packet ");
795 /* Not whole TCP header or malformed packet */
796 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
797 if (LOG_INVALID(IPPROTO_TCP))
798 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
799 "ip_ct_tcp: truncated/malformed packet ");
803 /* Checksum invalid? Ignore.
804 * We skip checking packets on the outgoing path
805 * because the semantic of CHECKSUM_HW is different there
806 * and moreover root might send raw packets.
808 /* FIXME: Source route IP option packets --RR */
809 if (hooknum == NF_IP_PRE_ROUTING
810 && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
811 skb->ip_summed == CHECKSUM_HW ? skb->csum
812 : skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
813 if (LOG_INVALID(IPPROTO_TCP))
814 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
815 "ip_ct_tcp: bad TCP checksum ");
819 /* Check TCP flags. */
820 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR));
821 if (!tcp_valid_flags[tcpflags]) {
822 if (LOG_INVALID(IPPROTO_TCP))
823 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
824 "ip_ct_tcp: invalid TCP flag combination ");
831 /* Returns verdict for packet, or -1 for invalid. */
832 static int tcp_packet(struct ip_conntrack *conntrack,
833 const struct sk_buff *skb,
834 enum ip_conntrack_info ctinfo)
836 enum tcp_conntrack new_state, old_state;
837 enum ip_conntrack_dir dir;
838 struct iphdr *iph = skb->nh.iph;
839 struct tcphdr *th, _tcph;
840 unsigned long timeout;
843 th = skb_header_pointer(skb, iph->ihl * 4,
844 sizeof(_tcph), &_tcph);
847 WRITE_LOCK(&tcp_lock);
848 old_state = conntrack->proto.tcp.state;
849 dir = CTINFO2DIR(ctinfo);
850 index = get_conntrack_index(th);
851 new_state = tcp_conntracks[dir][index][old_state];
854 case TCP_CONNTRACK_IGNORE:
855 /* Either SYN in ORIGINAL
856 * or SYN/ACK in REPLY
857 * or ACK in REPLY direction (half-open connection). */
858 if (index == TCP_SYNACK_SET
859 && conntrack->proto.tcp.last_index == TCP_SYN_SET
860 && conntrack->proto.tcp.last_dir != dir
861 && after(ntohl(th->ack_seq),
862 conntrack->proto.tcp.last_seq)) {
863 /* This SYN/ACK acknowledges a SYN that we earlier
864 * ignored as invalid. This means that the client and
865 * the server are both in sync, while the firewall is
866 * not. We kill this session and block the SYN/ACK so
867 * that the client cannot but retransmit its SYN and
868 * thus initiate a clean new session.
870 WRITE_UNLOCK(&tcp_lock);
871 if (LOG_INVALID(IPPROTO_TCP))
872 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
873 "ip_ct_tcp: killing out of sync session ");
874 if (del_timer(&conntrack->timeout))
875 conntrack->timeout.function((unsigned long)
879 conntrack->proto.tcp.last_index = index;
880 conntrack->proto.tcp.last_dir = dir;
881 conntrack->proto.tcp.last_seq = ntohl(th->seq);
883 WRITE_UNLOCK(&tcp_lock);
884 if (LOG_INVALID(IPPROTO_TCP))
885 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
886 "ip_ct_tcp: invalid packet ignored ");
888 case TCP_CONNTRACK_MAX:
890 DEBUGP("ip_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
891 dir, get_conntrack_index(th),
893 WRITE_UNLOCK(&tcp_lock);
894 if (LOG_INVALID(IPPROTO_TCP))
895 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
896 "ip_ct_tcp: invalid state ");
898 case TCP_CONNTRACK_SYN_SENT:
899 if (old_state >= TCP_CONNTRACK_TIME_WAIT) {
900 /* Attempt to reopen a closed connection.
901 * Delete this connection and look up again. */
902 WRITE_UNLOCK(&tcp_lock);
903 if (del_timer(&conntrack->timeout))
904 conntrack->timeout.function((unsigned long)
909 case TCP_CONNTRACK_CLOSE:
910 if (index == TCP_RST_SET
911 && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
912 && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
913 || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
914 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
915 && after(ntohl(th->ack_seq),
916 conntrack->proto.tcp.last_seq)) {
917 /* Ignore RST closing down invalid SYN or ACK
918 we had let trough. */
919 WRITE_UNLOCK(&tcp_lock);
920 if (LOG_INVALID(IPPROTO_TCP))
921 nf_log_packet(PF_INET, 0, skb, NULL, NULL,
922 "ip_ct_tcp: invalid RST (ignored) ");
925 /* Just fall trough */
927 /* Keep compilers happy. */
931 if (!tcp_in_window(&conntrack->proto.tcp, dir, &index,
933 WRITE_UNLOCK(&tcp_lock);
936 /* From now on we have got in-window packets */
938 /* If FIN was trimmed off, we don't change state. */
939 conntrack->proto.tcp.last_index = index;
940 new_state = tcp_conntracks[dir][index][old_state];
942 DEBUGP("tcp_conntracks: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
943 "syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
944 NIPQUAD(iph->saddr), ntohs(th->source),
945 NIPQUAD(iph->daddr), ntohs(th->dest),
946 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
947 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
948 old_state, new_state);
950 conntrack->proto.tcp.state = new_state;
951 timeout = conntrack->proto.tcp.retrans >= ip_ct_tcp_max_retrans
952 && *tcp_timeouts[new_state] > ip_ct_tcp_timeout_max_retrans
953 ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
954 WRITE_UNLOCK(&tcp_lock);
956 if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) {
957 /* If only reply is a RST, we can consider ourselves not to
958 have an established connection: this is a fairly common
959 problem case, so we can delete the conntrack
962 if (del_timer(&conntrack->timeout))
963 conntrack->timeout.function((unsigned long)
967 } else if (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
968 && (old_state == TCP_CONNTRACK_SYN_RECV
969 || old_state == TCP_CONNTRACK_ESTABLISHED)
970 && new_state == TCP_CONNTRACK_ESTABLISHED) {
971 /* Set ASSURED if we see see valid ack in ESTABLISHED
972 after SYN_RECV or a valid answer for a picked up
974 set_bit(IPS_ASSURED_BIT, &conntrack->status);
976 ip_ct_refresh_acct(conntrack, ctinfo, skb, timeout);
981 /* Called when a new connection for this protocol found. */
982 static int tcp_new(struct ip_conntrack *conntrack,
983 const struct sk_buff *skb)
985 enum tcp_conntrack new_state;
986 struct iphdr *iph = skb->nh.iph;
987 struct tcphdr *th, _tcph;
989 struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[0];
990 struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[1];
993 th = skb_header_pointer(skb, iph->ihl * 4,
994 sizeof(_tcph), &_tcph);
997 /* Don't need lock here: this conntrack not in circulation yet */
999 = tcp_conntracks[0][get_conntrack_index(th)]
1000 [TCP_CONNTRACK_NONE];
1002 /* Invalid: delete conntrack */
1003 if (new_state >= TCP_CONNTRACK_MAX) {
1004 DEBUGP("ip_ct_tcp: invalid new deleting.\n");
1008 if (new_state == TCP_CONNTRACK_SYN_SENT) {
1010 conntrack->proto.tcp.seen[0].td_end =
1011 segment_seq_plus_len(ntohl(th->seq), skb->len,
1013 conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1014 if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
1015 conntrack->proto.tcp.seen[0].td_maxwin = 1;
1016 conntrack->proto.tcp.seen[0].td_maxend =
1017 conntrack->proto.tcp.seen[0].td_end;
1019 tcp_options(skb, iph, th, &conntrack->proto.tcp.seen[0]);
1020 conntrack->proto.tcp.seen[1].flags = 0;
1021 conntrack->proto.tcp.seen[0].loose =
1022 conntrack->proto.tcp.seen[1].loose = 0;
1023 } else if (ip_ct_tcp_loose == 0) {
1024 /* Don't try to pick up connections. */
1028 * We are in the middle of a connection,
1029 * its history is lost for us.
1030 * Let's try to use the data from the packet.
1032 conntrack->proto.tcp.seen[0].td_end =
1033 segment_seq_plus_len(ntohl(th->seq), skb->len,
1035 conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1036 if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
1037 conntrack->proto.tcp.seen[0].td_maxwin = 1;
1038 conntrack->proto.tcp.seen[0].td_maxend =
1039 conntrack->proto.tcp.seen[0].td_end +
1040 conntrack->proto.tcp.seen[0].td_maxwin;
1041 conntrack->proto.tcp.seen[0].td_scale = 0;
1043 /* We assume SACK. Should we assume window scaling too? */
1044 conntrack->proto.tcp.seen[0].flags =
1045 conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM;
1046 conntrack->proto.tcp.seen[0].loose =
1047 conntrack->proto.tcp.seen[1].loose = ip_ct_tcp_loose;
1050 conntrack->proto.tcp.seen[1].td_end = 0;
1051 conntrack->proto.tcp.seen[1].td_maxend = 0;
1052 conntrack->proto.tcp.seen[1].td_maxwin = 1;
1053 conntrack->proto.tcp.seen[1].td_scale = 0;
1055 /* tcp_packet will set them */
1056 conntrack->proto.tcp.state = TCP_CONNTRACK_NONE;
1057 conntrack->proto.tcp.last_index = TCP_NONE_SET;
1059 DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1060 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1061 sender->td_end, sender->td_maxend, sender->td_maxwin,
1063 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1064 receiver->td_scale);
1068 struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
1070 .proto = IPPROTO_TCP,
1072 .pkt_to_tuple = tcp_pkt_to_tuple,
1073 .invert_tuple = tcp_invert_tuple,
1074 .print_tuple = tcp_print_tuple,
1075 .print_conntrack = tcp_print_conntrack,
1076 .packet = tcp_packet,