[NETFILTER]: nf_conntrack_tcp: fix connection reopening fix

If one side aborts an established connection, the entry still lingers for 10s in conntrack for the late packets. Allow to open up the connection again for the party which sent the RST packet. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: nf_conntrack_tcp: fix connection reopening fix
If one side aborts an established connection, the entry still lingers for 10s in conntrack for the late packets. Allow to open up the connection again for the party which sent the RST packet. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Jozsef Kadlecsik · David S. Miller
1 parent 78c2e50253
Showing 1 changed file with 7 additions and 4 deletions Side-by-side Diff
net/netfilter/nf_conntrack_proto_tcp.c
@@ -834,10 +834,12 @@
 	case TCP_CONNTRACK_SYN_SENT:
 		if (old_state < TCP_CONNTRACK_TIME_WAIT)
 			break;
-		if (conntrack->proto.tcp.seen[!dir].flags &
-			IP_CT_TCP_FLAG_CLOSE_INIT) {
-			/* Attempt to reopen a closed connection.
-			* Delete this connection and look up again. */
+		if ((conntrack->proto.tcp.seen[!dir].flags &
+			IP_CT_TCP_FLAG_CLOSE_INIT)
+		    || (conntrack->proto.tcp.last_dir == dir
+		        && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
+			/* Attempt to reopen a closed/aborted connection.
+			 * Delete this connection and look up again. */
 			write_unlock_bh(&tcp_lock);
 			if (del_timer(&conntrack->timeout))
 				conntrack->timeout.function((unsigned long)
@@ -925,6 +927,7 @@
      in_window:
 	/* From now on we have got in-window packets */
 	conntrack->proto.tcp.last_index = index;
+	conntrack->proto.tcp.last_dir = dir;
  
 	pr_debug("tcp_conntracks: ");
 	NF_CT_DUMP_TUPLE(tuple);
...	...	@@ -834,10 +834,12 @@
834	834	case TCP_CONNTRACK_SYN_SENT:
835	835	if (old_state < TCP_CONNTRACK_TIME_WAIT)
836	836	break;
837		- if (conntrack->proto.tcp.seen[!dir].flags &
838		- IP_CT_TCP_FLAG_CLOSE_INIT) {
839		- /* Attempt to reopen a closed connection.
840		- * Delete this connection and look up again. */
	837	+ if ((conntrack->proto.tcp.seen[!dir].flags &
	838	+ IP_CT_TCP_FLAG_CLOSE_INIT)
	839	+ \|\| (conntrack->proto.tcp.last_dir == dir
	840	+ && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
	841	+ /* Attempt to reopen a closed/aborted connection.
	842	+ * Delete this connection and look up again. */
841	843	write_unlock_bh(&tcp_lock);
842	844	if (del_timer(&conntrack->timeout))
843	845	conntrack->timeout.function((unsigned long)
...	...	@@ -925,6 +927,7 @@
925	927	in_window:
926	928	/* From now on we have got in-window packets */
927	929	conntrack->proto.tcp.last_index = index;
	930	+ conntrack->proto.tcp.last_dir = dir;
928	931
929	932	pr_debug("tcp_conntracks: ");
930	933	NF_CT_DUMP_TUPLE(tuple);