|
|
@@ -831,6 +831,20 @@ static int tcp_packet(struct nf_conn *conntrack,
|
|
|
tuple = &conntrack->tuplehash[dir].tuple;
|
|
|
|
|
|
switch (new_state) {
|
|
|
+ case TCP_CONNTRACK_SYN_SENT:
|
|
|
+ if (old_state < TCP_CONNTRACK_TIME_WAIT)
|
|
|
+ break;
|
|
|
+ if (conntrack->proto.tcp.seen[!dir].flags &
|
|
|
+ IP_CT_TCP_FLAG_CLOSE_INIT) {
|
|
|
+ /* Attempt to reopen a closed connection.
|
|
|
+ * Delete this connection and look up again. */
|
|
|
+ write_unlock_bh(&tcp_lock);
|
|
|
+ if (del_timer(&conntrack->timeout))
|
|
|
+ conntrack->timeout.function((unsigned long)
|
|
|
+ conntrack);
|
|
|
+ return -NF_REPEAT;
|
|
|
+ }
|
|
|
+ /* Fall through */
|
|
|
case TCP_CONNTRACK_IGNORE:
|
|
|
/* Ignored packets:
|
|
|
*
|
|
|
@@ -879,27 +893,6 @@ static int tcp_packet(struct nf_conn *conntrack,
|
|
|
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
|
|
|
"nf_ct_tcp: invalid state ");
|
|
|
return -NF_ACCEPT;
|
|
|
- case TCP_CONNTRACK_SYN_SENT:
|
|
|
- if (old_state < TCP_CONNTRACK_TIME_WAIT)
|
|
|
- break;
|
|
|
- if ((conntrack->proto.tcp.seen[dir].flags &
|
|
|
- IP_CT_TCP_FLAG_CLOSE_INIT)
|
|
|
- || after(ntohl(th->seq),
|
|
|
- conntrack->proto.tcp.seen[dir].td_end)) {
|
|
|
- /* Attempt to reopen a closed connection.
|
|
|
- * Delete this connection and look up again. */
|
|
|
- write_unlock_bh(&tcp_lock);
|
|
|
- if (del_timer(&conntrack->timeout))
|
|
|
- conntrack->timeout.function((unsigned long)
|
|
|
- conntrack);
|
|
|
- return -NF_REPEAT;
|
|
|
- } else {
|
|
|
- write_unlock_bh(&tcp_lock);
|
|
|
- if (LOG_INVALID(IPPROTO_TCP))
|
|
|
- nf_log_packet(pf, 0, skb, NULL, NULL,
|
|
|
- NULL, "nf_ct_tcp: invalid SYN");
|
|
|
- return -NF_ACCEPT;
|
|
|
- }
|
|
|
case TCP_CONNTRACK_CLOSE:
|
|
|
if (index == TCP_RST_SET
|
|
|
&& ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
|
Jozsef Kadlecsik