]> bbs.cooldavid.org Git - net-next-2.6.git/blame - net/netfilter/nf_conntrack_proto_tcp.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
sysctl net: Remove unused binary sysctl code
[net-next-2.6.git] / net / netfilter / nf_conntrack_proto_tcp.c
CommitLineData
9fb9cbb1
YK		 1/* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
9fb9cbb1
YK		 7 */
8
9fb9cbb1 9#include <linux/types.h>
9fb9cbb1 10#include <linux/timer.h>
9fb9cbb1
YK		 11#include <linux/module.h>
12#include <linux/in.h>
13#include <linux/tcp.h>
14#include <linux/spinlock.h>
15#include <linux/skbuff.h>
16#include <linux/ipv6.h>
17#include <net/ip6_checksum.h>
534f81a5 18#include <asm/unaligned.h>
9fb9cbb1
YK		 19
20#include <net/tcp.h>
21
22#include <linux/netfilter.h>
23#include <linux/netfilter_ipv4.h>
24#include <linux/netfilter_ipv6.h>
25#include <net/netfilter/nf_conntrack.h>
605dcad6 26#include <net/netfilter/nf_conntrack_l4proto.h>
f6180121 27#include <net/netfilter/nf_conntrack_ecache.h>
f01ffbd6 28#include <net/netfilter/nf_log.h>
9d2493f8
CP		 29#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
30#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
9fb9cbb1 31
601e68e1
YH		 32/* "Be conservative in what you do,
33 be liberal in what you accept from others."
9fb9cbb1 34 If it's non-zero, we mark only out of window RST segments as INVALID. */
3aef0fd9 35static int nf_ct_tcp_be_liberal __read_mostly = 0;
9fb9cbb1 36
a09113c2 37/* If it is set to zero, we disable picking up already established
9fb9cbb1 38 connections. */
3aef0fd9 39static int nf_ct_tcp_loose __read_mostly = 1;
9fb9cbb1 40
601e68e1
YH		 41/* Max number of the retransmitted packets without receiving an (acceptable)
42 ACK from the destination. If this number is reached, a shorter timer
9fb9cbb1 43 will be started. */
3aef0fd9 44static int nf_ct_tcp_max_retrans __read_mostly = 3;
9fb9cbb1
YK		 45
46 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
47 closely. They're more complex. --RR */
48
82f568fc 49static const char *const tcp_conntrack_names[] = {
9fb9cbb1
YK		 50 "NONE",
51 "SYN_SENT",
52 "SYN_RECV",
53 "ESTABLISHED",
54 "FIN_WAIT",
55 "CLOSE_WAIT",
56 "LAST_ACK",
57 "TIME_WAIT",
58 "CLOSE",
874ab923 59 "SYN_SENT2",
9fb9cbb1 60};
601e68e1 61
9fb9cbb1
YK		 62#define SECS * HZ
63#define MINS * 60 SECS
64#define HOURS * 60 MINS
65#define DAYS * 24 HOURS
66
9fb9cbb1 67/* RFC1122 says the R2 limit should be at least 100 seconds.
601e68e1 68 Linux uses 15 packets as limit, which corresponds
9fb9cbb1 69 to ~13-30min depending on RTO. */
ae375044
PM		 70static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS;
71static unsigned int nf_ct_tcp_timeout_unacknowledged __read_mostly = 5 MINS;
601e68e1 72
2d646286
PM		 73static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
74 [TCP_CONNTRACK_SYN_SENT] = 2 MINS,
75 [TCP_CONNTRACK_SYN_RECV] = 60 SECS,
76 [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS,
77 [TCP_CONNTRACK_FIN_WAIT] = 2 MINS,
78 [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS,
79 [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
80 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
81 [TCP_CONNTRACK_CLOSE] = 10 SECS,
874ab923 82 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS,
2d646286 83};
601e68e1 84
9fb9cbb1
YK		 85#define sNO TCP_CONNTRACK_NONE
86#define sSS TCP_CONNTRACK_SYN_SENT
87#define sSR TCP_CONNTRACK_SYN_RECV
88#define sES TCP_CONNTRACK_ESTABLISHED
89#define sFW TCP_CONNTRACK_FIN_WAIT
90#define sCW TCP_CONNTRACK_CLOSE_WAIT
91#define sLA TCP_CONNTRACK_LAST_ACK
92#define sTW TCP_CONNTRACK_TIME_WAIT
93#define sCL TCP_CONNTRACK_CLOSE
874ab923 94#define sS2 TCP_CONNTRACK_SYN_SENT2
9fb9cbb1
YK		 95#define sIV TCP_CONNTRACK_MAX
96#define sIG TCP_CONNTRACK_IGNORE
97
98/* What TCP flags are set from RST/SYN/FIN/ACK. */
99enum tcp_bit_set {
100 TCP_SYN_SET,
101 TCP_SYNACK_SET,
102 TCP_FIN_SET,
103 TCP_ACK_SET,
104 TCP_RST_SET,
105 TCP_NONE_SET,
106};
601e68e1 107
9fb9cbb1
YK		 108/*
109 * The TCP state transition table needs a few words...
110 *
111 * We are the man in the middle. All the packets go through us
112 * but might get lost in transit to the destination.
601e68e1 113 * It is assumed that the destinations can't receive segments
9fb9cbb1
YK		 114 * we haven't seen.
115 *
116 * The checked segment is in window, but our windows are *not*
117 * equivalent with the ones of the sender/receiver. We always
118 * try to guess the state of the current sender.
119 *
120 * The meaning of the states are:
121 *
122 * NONE: initial state
601e68e1 123 * SYN_SENT: SYN-only packet seen
874ab923 124 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
9fb9cbb1
YK		 125 * SYN_RECV: SYN-ACK packet seen
126 * ESTABLISHED: ACK packet seen
127 * FIN_WAIT: FIN packet seen
601e68e1 128 * CLOSE_WAIT: ACK seen (after FIN)
9fb9cbb1
YK		 129 * LAST_ACK: FIN seen (after FIN)
130 * TIME_WAIT: last ACK seen
b2155e7f 131 * CLOSE: closed connection (RST)
9fb9cbb1 132 *
9fb9cbb1 133 * Packets marked as IGNORED (sIG):
601e68e1
YH		 134 * if they may be either invalid or valid
135 * and the receiver may send back a connection
9fb9cbb1
YK		 136 * closing RST or a SYN/ACK.
137 *
138 * Packets marked as INVALID (sIV):
874ab923 139 * if we regard them as truly invalid packets
9fb9cbb1 140 */
a5e73c29 141static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
9fb9cbb1
YK		 142 {
143/* ORIGINAL */
874ab923
JK		 144/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
145/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
9fb9cbb1
YK		 146/*
147 * sNO -> sSS Initialize a new connection
148 * sSS -> sSS Retransmitted SYN
874ab923
JK		 149 * sS2 -> sS2 Late retransmitted SYN
150 * sSR -> sIG
9fb9cbb1 151 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
601e68e1 152 * are errors. Receiver will reply with RST
9fb9cbb1
YK		 153 * and close the connection.
154 * Or we are not in sync and hold a dead connection.
155 * sFW -> sIG
156 * sCW -> sIG
157 * sLA -> sIG
158 * sTW -> sSS Reopened connection (RFC 1122).
159 * sCL -> sSS
160 */
874ab923
JK		 161/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
162/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
9fb9cbb1 163/*
874ab923
JK		 164 * sNO -> sIV Too late and no reason to do anything
165 * sSS -> sIV Client can't send SYN and then SYN/ACK
166 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
167 * sSR -> sIG
168 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
169 * are errors. Receiver will reply with RST
170 * and close the connection.
171 * Or we are not in sync and hold a dead connection.
172 * sFW -> sIG
173 * sCW -> sIG
174 * sLA -> sIG
175 * sTW -> sIG
176 * sCL -> sIG
9fb9cbb1 177 */
874ab923 178/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
9fb9cbb1
YK		 179/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
180/*
181 * sNO -> sIV Too late and no reason to do anything...
182 * sSS -> sIV Client migth not send FIN in this state:
183 * we enforce waiting for a SYN/ACK reply first.
874ab923 184 * sS2 -> sIV
9fb9cbb1
YK		 185 * sSR -> sFW Close started.
186 * sES -> sFW
187 * sFW -> sLA FIN seen in both directions, waiting for
601e68e1 188 * the last ACK.
9fb9cbb1
YK		 189 * Migth be a retransmitted FIN as well...
190 * sCW -> sLA
191 * sLA -> sLA Retransmitted FIN. Remain in the same state.
192 * sTW -> sTW
193 * sCL -> sCL
194 */
874ab923 195/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
9fb9cbb1
YK		 196/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
197/*
198 * sNO -> sES Assumed.
199 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
874ab923 200 * sS2 -> sIV
9fb9cbb1
YK		 201 * sSR -> sES Established state is reached.
202 * sES -> sES :-)
203 * sFW -> sCW Normal close request answered by ACK.
204 * sCW -> sCW
205 * sLA -> sTW Last ACK detected.
206 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
207 * sCL -> sCL
208 */
874ab923
JK		 209/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
210/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
9fb9cbb1
YK		 211/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
212 },
213 {
214/* REPLY */
874ab923
JK		 215/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
216/*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 },
9fb9cbb1
YK		 217/*
218 * sNO -> sIV Never reached.
874ab923
JK		 219 * sSS -> sS2 Simultaneous open
220 * sS2 -> sS2 Retransmitted simultaneous SYN
221 * sSR -> sIV Invalid SYN packets sent by the server
222 * sES -> sIV
9fb9cbb1
YK		 223 * sFW -> sIV
224 * sCW -> sIV
225 * sLA -> sIV
226 * sTW -> sIV Reopened connection, but server may not do it.
227 * sCL -> sIV
228 */
874ab923
JK		 229/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
230/*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
9fb9cbb1
YK		 231/*
232 * sSS -> sSR Standard open.
874ab923 233 * sS2 -> sSR Simultaneous open
9fb9cbb1
YK		 234 * sSR -> sSR Retransmitted SYN/ACK.
235 * sES -> sIG Late retransmitted SYN/ACK?
236 * sFW -> sIG Might be SYN/ACK answering ignored SYN
237 * sCW -> sIG
238 * sLA -> sIG
239 * sTW -> sIG
240 * sCL -> sIG
241 */
874ab923 242/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
9fb9cbb1
YK		 243/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
244/*
245 * sSS -> sIV Server might not send FIN in this state.
874ab923 246 * sS2 -> sIV
9fb9cbb1
YK		 247 * sSR -> sFW Close started.
248 * sES -> sFW
249 * sFW -> sLA FIN seen in both directions.
250 * sCW -> sLA
251 * sLA -> sLA Retransmitted FIN.
252 * sTW -> sTW
253 * sCL -> sCL
254 */
874ab923
JK		 255/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
256/*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
9fb9cbb1 257/*
73f30602 258 * sSS -> sIG Might be a half-open connection.
874ab923 259 * sS2 -> sIG
9fb9cbb1
YK		 260 * sSR -> sSR Might answer late resent SYN.
261 * sES -> sES :-)
262 * sFW -> sCW Normal close request answered by ACK.
263 * sCW -> sCW
264 * sLA -> sTW Last ACK detected.
265 * sTW -> sTW Retransmitted last ACK.
266 * sCL -> sCL
267 */
874ab923
JK		 268/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
269/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
9fb9cbb1 270/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
601e68e1 271 }
9fb9cbb1
YK		 272};
273
09f263cd
JE		 274static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
275 struct nf_conntrack_tuple *tuple)
9fb9cbb1 276{
82f568fc
JE		 277 const struct tcphdr *hp;
278 struct tcphdr _hdr;
9fb9cbb1
YK		 279
280 /* Actually only need first 8 bytes. */
281 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
282 if (hp == NULL)
09f263cd 283 return false;
9fb9cbb1
YK		 284
285 tuple->src.u.tcp.port = hp->source;
286 tuple->dst.u.tcp.port = hp->dest;
287
09f263cd 288 return true;
9fb9cbb1
YK		 289}
290
09f263cd
JE		 291static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple,
292 const struct nf_conntrack_tuple *orig)
9fb9cbb1
YK		 293{
294 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
295 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
09f263cd 296 return true;
9fb9cbb1
YK		 297}
298
299/* Print out the per-protocol part of the tuple. */
300static int tcp_print_tuple(struct seq_file *s,
301 const struct nf_conntrack_tuple *tuple)
302{
303 return seq_printf(s, "sport=%hu dport=%hu ",
304 ntohs(tuple->src.u.tcp.port),
305 ntohs(tuple->dst.u.tcp.port));
306}
307
308/* Print out the private part of the conntrack. */
440f0d58 309static int tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
9fb9cbb1
YK		 310{
311 enum tcp_conntrack state;
312
440f0d58 313 spin_lock_bh(&ct->lock);
c88130bc 314 state = ct->proto.tcp.state;
440f0d58 315 spin_unlock_bh(&ct->lock);
9fb9cbb1
YK		 316
317 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
318}
319
320static unsigned int get_conntrack_index(const struct tcphdr *tcph)
321{
322 if (tcph->rst) return TCP_RST_SET;
323 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
324 else if (tcph->fin) return TCP_FIN_SET;
325 else if (tcph->ack) return TCP_ACK_SET;
326 else return TCP_NONE_SET;
327}
328
329/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
330 in IP Filter' by Guido van Rooij.
601e68e1 331
9fb9cbb1
YK		 332 http://www.nluug.nl/events/sane2000/papers.html
333 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
601e68e1 334
9fb9cbb1
YK		 335 The boundaries and the conditions are changed according to RFC793:
336 the packet must intersect the window (i.e. segments may be
337 after the right or before the left edge) and thus receivers may ACK
338 segments after the right edge of the window.
339
601e68e1 340 td_maxend = max(sack + max(win,1)) seen in reply packets
9fb9cbb1
YK		 341 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
342 td_maxwin += seq + len - sender.td_maxend
343 if seq + len > sender.td_maxend
344 td_end = max(seq + len) seen in sent packets
601e68e1 345
9fb9cbb1
YK		 346 I. Upper bound for valid data: seq <= sender.td_maxend
347 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
84ebe1cd
JK		 348 III. Upper bound for valid (s)ack: sack <= receiver.td_end
349 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
9fb9cbb1 350
84ebe1cd
JK		 351 where sack is the highest right edge of sack block found in the packet
352 or ack in the case of packet without SACK option.
9fb9cbb1 353
84ebe1cd 354 The upper bound limit for a valid (s)ack is not ignored -
601e68e1 355 we doesn't have to deal with fragments.
9fb9cbb1
YK		 356*/
357
358static inline __u32 segment_seq_plus_len(__u32 seq,
359 size_t len,
360 unsigned int dataoff,
82f568fc 361 const struct tcphdr *tcph)
9fb9cbb1
YK		 362{
363 /* XXX Should I use payload length field in IP/IPv6 header ?
364 * - YK */
365 return (seq + len - dataoff - tcph->doff*4
366 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
367}
601e68e1 368
9fb9cbb1
YK		 369/* Fixme: what about big packets? */
370#define MAXACKWINCONST 66000
371#define MAXACKWINDOW(sender) \
372 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
373 : MAXACKWINCONST)
601e68e1 374
9fb9cbb1
YK		 375/*
376 * Simplified tcp_parse_options routine from tcp_input.c
377 */
378static void tcp_options(const struct sk_buff *skb,
379 unsigned int dataoff,
82f568fc 380 const struct tcphdr *tcph,
9fb9cbb1
YK		 381 struct ip_ct_tcp_state *state)
382{
383 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
82f568fc 384 const unsigned char *ptr;
9fb9cbb1
YK		 385 int length = (tcph->doff*4) - sizeof(struct tcphdr);
386
387 if (!length)
388 return;
389
390 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
391 length, buff);
392 BUG_ON(ptr == NULL);
393
601e68e1 394 state->td_scale =
9fb9cbb1
YK		 395 state->flags = 0;
396
397 while (length > 0) {
398 int opcode=*ptr++;
399 int opsize;
400
401 switch (opcode) {
402 case TCPOPT_EOL:
403 return;
404 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
405 length--;
406 continue;
407 default:
408 opsize=*ptr++;
409 if (opsize < 2) /* "silly options" */
410 return;
411 if (opsize > length)
412 break; /* don't parse partial options */
413
601e68e1 414 if (opcode == TCPOPT_SACK_PERM
9fb9cbb1
YK		 415 && opsize == TCPOLEN_SACK_PERM)
416 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
417 else if (opcode == TCPOPT_WINDOW
418 && opsize == TCPOLEN_WINDOW) {
419 state->td_scale = *(u_int8_t *)ptr;
420
421 if (state->td_scale > 14) {
422 /* See RFC1323 */
423 state->td_scale = 14;
424 }
425 state->flags |=
426 IP_CT_TCP_FLAG_WINDOW_SCALE;
427 }
428 ptr += opsize - 2;
429 length -= opsize;
430 }
431 }
432}
433
434static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
82f568fc 435 const struct tcphdr *tcph, __u32 *sack)
9fb9cbb1 436{
601e68e1 437 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
82f568fc 438 const unsigned char *ptr;
9fb9cbb1
YK		 439 int length = (tcph->doff*4) - sizeof(struct tcphdr);
440 __u32 tmp;
441
442 if (!length)
443 return;
444
445 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
446 length, buff);
447 BUG_ON(ptr == NULL);
448
449 /* Fast path for timestamp-only option */
450 if (length == TCPOLEN_TSTAMP_ALIGNED*4
8f05ce91
YH		 451 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
452 | (TCPOPT_NOP << 16)
453 | (TCPOPT_TIMESTAMP << 8)
454 | TCPOLEN_TIMESTAMP))
9fb9cbb1
YK		 455 return;
456
457 while (length > 0) {
458 int opcode = *ptr++;
459 int opsize, i;
460
461 switch (opcode) {
462 case TCPOPT_EOL:
463 return;
464 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
465 length--;
466 continue;
467 default:
468 opsize = *ptr++;
469 if (opsize < 2) /* "silly options" */
470 return;
471 if (opsize > length)
472 break; /* don't parse partial options */
473
601e68e1
YH		 474 if (opcode == TCPOPT_SACK
475 && opsize >= (TCPOLEN_SACK_BASE
476 + TCPOLEN_SACK_PERBLOCK)
477 && !((opsize - TCPOLEN_SACK_BASE)
478 % TCPOLEN_SACK_PERBLOCK)) {
479 for (i = 0;
480 i < (opsize - TCPOLEN_SACK_BASE);
481 i += TCPOLEN_SACK_PERBLOCK) {
534f81a5 482 tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
9fb9cbb1
YK		 483
484 if (after(tmp, *sack))
485 *sack = tmp;
486 }
487 return;
488 }
489 ptr += opsize - 2;
490 length -= opsize;
491 }
492 }
493}
494
09f263cd
JE		 495static bool tcp_in_window(const struct nf_conn *ct,
496 struct ip_ct_tcp *state,
497 enum ip_conntrack_dir dir,
498 unsigned int index,
499 const struct sk_buff *skb,
500 unsigned int dataoff,
501 const struct tcphdr *tcph,
76108cea 502 u_int8_t pf)
9fb9cbb1 503{
c2a2c7e0 504 struct net *net = nf_ct_net(ct);
9fb9cbb1
YK		 505 struct ip_ct_tcp_state *sender = &state->seen[dir];
506 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
82f568fc 507 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
9fb9cbb1 508 __u32 seq, ack, sack, end, win, swin;
09f263cd 509 bool res;
9fb9cbb1
YK		 510
511 /*
512 * Get the required data from the packet.
513 */
514 seq = ntohl(tcph->seq);
515 ack = sack = ntohl(tcph->ack_seq);
516 win = ntohs(tcph->window);
517 end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
518
519 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
520 tcp_sack(skb, dataoff, tcph, &sack);
521
0d53778e
PM		 522 pr_debug("tcp_in_window: START\n");
523 pr_debug("tcp_in_window: ");
3c9fba65 524 nf_ct_dump_tuple(tuple);
0d53778e
PM		 525 pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n",
526 seq, ack, sack, win, end);
527 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
528 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
529 sender->td_end, sender->td_maxend, sender->td_maxwin,
530 sender->td_scale,
531 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
532 receiver->td_scale);
9fb9cbb1 533
874ab923 534 if (sender->td_maxwin == 0) {
9fb9cbb1
YK		 535 /*
536 * Initialize sender data.
537 */
874ab923 538 if (tcph->syn) {
9fb9cbb1 539 /*
874ab923
JK		 540 * SYN-ACK in reply to a SYN
541 * or SYN from reply direction in simultaneous open.
9fb9cbb1 542 */
601e68e1 543 sender->td_end =
9fb9cbb1
YK		 544 sender->td_maxend = end;
545 sender->td_maxwin = (win == 0 ? 1 : win);
546
547 tcp_options(skb, dataoff, tcph, sender);
601e68e1 548 /*
9fb9cbb1
YK		 549 * RFC 1323:
550 * Both sides must send the Window Scale option
551 * to enable window scaling in either direction.
552 */
553 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
554 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
601e68e1 555 sender->td_scale =
9fb9cbb1 556 receiver->td_scale = 0;
874ab923
JK		 557 if (!tcph->ack)
558 /* Simultaneous open */
559 return true;
9fb9cbb1
YK		 560 } else {
561 /*
562 * We are in the middle of a connection,
563 * its history is lost for us.
564 * Let's try to use the data from the packet.
601e68e1 565 */
9fb9cbb1
YK		 566 sender->td_end = end;
567 sender->td_maxwin = (win == 0 ? 1 : win);
568 sender->td_maxend = end + sender->td_maxwin;
569 }
570 } else if (((state->state == TCP_CONNTRACK_SYN_SENT
571 && dir == IP_CT_DIR_ORIGINAL)
572 || (state->state == TCP_CONNTRACK_SYN_RECV
573 && dir == IP_CT_DIR_REPLY))
574 && after(end, sender->td_end)) {
575 /*
576 * RFC 793: "if a TCP is reinitialized ... then it need
601e68e1 577 * not wait at all; it must only be sure to use sequence
9fb9cbb1
YK		 578 * numbers larger than those recently used."
579 */
580 sender->td_end =
581 sender->td_maxend = end;
582 sender->td_maxwin = (win == 0 ? 1 : win);
583
584 tcp_options(skb, dataoff, tcph, sender);
585 }
586
587 if (!(tcph->ack)) {
588 /*
589 * If there is no ACK, just pretend it was set and OK.
590 */
591 ack = sack = receiver->td_end;
601e68e1
YH		 592 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
593 (TCP_FLAG_ACK|TCP_FLAG_RST))
9fb9cbb1
YK		 594 && (ack == 0)) {
595 /*
596 * Broken TCP stacks, that set ACK in RST packets as well
597 * with zero ack value.
598 */
599 ack = sack = receiver->td_end;
600 }
601
602 if (seq == end
603 && (!tcph->rst
604 || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
605 /*
606 * Packets contains no data: we assume it is valid
607 * and check the ack value only.
608 * However RST segments are always validated by their
609 * SEQ number, except when seq == 0 (reset sent answering
610 * SYN.
611 */
612 seq = end = sender->td_end;
613
0d53778e 614 pr_debug("tcp_in_window: ");
3c9fba65 615 nf_ct_dump_tuple(tuple);
0d53778e
PM		 616 pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n",
617 seq, ack, sack, win, end);
618 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
619 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
620 sender->td_end, sender->td_maxend, sender->td_maxwin,
621 sender->td_scale,
622 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
623 receiver->td_scale);
624
625 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
626 before(seq, sender->td_maxend + 1),
627 after(end, sender->td_end - receiver->td_maxwin - 1),
628 before(sack, receiver->td_end + 1),
84ebe1cd 629 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
9fb9cbb1 630
a09113c2
PM		 631 if (before(seq, sender->td_maxend + 1) &&
632 after(end, sender->td_end - receiver->td_maxwin - 1) &&
633 before(sack, receiver->td_end + 1) &&
84ebe1cd 634 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
601e68e1 635 /*
9fb9cbb1
YK		 636 * Take into account window scaling (RFC 1323).
637 */
638 if (!tcph->syn)
639 win <<= sender->td_scale;
640
641 /*
642 * Update sender data.
643 */
644 swin = win + (sack - ack);
645 if (sender->td_maxwin < swin)
646 sender->td_maxwin = swin;
ae375044 647 if (after(end, sender->td_end)) {
9fb9cbb1 648 sender->td_end = end;
ae375044
PM		 649 sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
650 }
bfcaa502
JK		 651 if (tcph->ack) {
652 if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
653 sender->td_maxack = ack;
654 sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
655 } else if (after(ack, sender->td_maxack))
656 sender->td_maxack = ack;
657 }
658
9fb9cbb1
YK		 659 /*
660 * Update receiver data.
661 */
662 if (after(end, sender->td_maxend))
663 receiver->td_maxwin += end - sender->td_maxend;
664 if (after(sack + win, receiver->td_maxend - 1)) {
665 receiver->td_maxend = sack + win;
666 if (win == 0)
667 receiver->td_maxend++;
668 }
ae375044
PM		 669 if (ack == receiver->td_end)
670 receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
9fb9cbb1 671
601e68e1 672 /*
9fb9cbb1
YK		 673 * Check retransmissions.
674 */
675 if (index == TCP_ACK_SET) {
676 if (state->last_dir == dir
677 && state->last_seq == seq
678 && state->last_ack == ack
c1fe3ca5
GH		 679 && state->last_end == end
680 && state->last_win == win)
9fb9cbb1
YK		 681 state->retrans++;
682 else {
683 state->last_dir = dir;
684 state->last_seq = seq;
685 state->last_ack = ack;
686 state->last_end = end;
c1fe3ca5 687 state->last_win = win;
9fb9cbb1
YK		 688 state->retrans = 0;
689 }
690 }
09f263cd 691 res = true;
9fb9cbb1 692 } else {
09f263cd 693 res = false;
a09113c2
PM		 694 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
695 nf_ct_tcp_be_liberal)
09f263cd 696 res = true;
c2a2c7e0 697 if (!res && LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 698 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
699 "nf_ct_tcp: %s ",
700 before(seq, sender->td_maxend + 1) ?
701 after(end, sender->td_end - receiver->td_maxwin - 1) ?
702 before(sack, receiver->td_end + 1) ?
703 after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
704 : "ACK is under the lower bound (possible overly delayed ACK)"
705 : "ACK is over the upper bound (ACKed data not seen yet)"
706 : "SEQ is under the lower bound (already ACKed data retransmitted)"
707 : "SEQ is over the upper bound (over the window of the receiver)");
601e68e1
YH		 708 }
709
09f263cd 710 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
0d53778e
PM		 711 "receiver end=%u maxend=%u maxwin=%u\n",
712 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
713 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
9fb9cbb1
YK		 714
715 return res;
716}
717
5b1158e9 718#ifdef CONFIG_NF_NAT_NEEDED
9fb9cbb1
YK		 719/* Update sender->td_end after NAT successfully mangled the packet */
720/* Caller must linearize skb at tcp header. */
82f568fc 721void nf_conntrack_tcp_update(const struct sk_buff *skb,
9fb9cbb1 722 unsigned int dataoff,
a3a9f79e
PM		 723 struct nf_conn *ct, int dir,
724 s16 offset)
9fb9cbb1 725{
82f568fc
JE		 726 const struct tcphdr *tcph = (const void *)skb->data + dataoff;
727 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
728 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir];
0d53778e 729 __u32 end;
9fb9cbb1
YK		 730
731 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph);
732
440f0d58 733 spin_lock_bh(&ct->lock);
9fb9cbb1
YK		 734 /*
735 * We have to worry for the ack in the reply packet only...
736 */
a3a9f79e 737 if (ct->proto.tcp.seen[dir].td_end + offset == end)
c88130bc
PM		 738 ct->proto.tcp.seen[dir].td_end = end;
739 ct->proto.tcp.last_end = end;
440f0d58 740 spin_unlock_bh(&ct->lock);
0d53778e
PM		 741 pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
742 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
743 sender->td_end, sender->td_maxend, sender->td_maxwin,
744 sender->td_scale,
745 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
746 receiver->td_scale);
9fb9cbb1 747}
13b18339 748EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
9fb9cbb1
YK		 749#endif
750
751#define TH_FIN 0x01
752#define TH_SYN 0x02
753#define TH_RST 0x04
754#define TH_PUSH 0x08
755#define TH_ACK 0x10
756#define TH_URG 0x20
757#define TH_ECE 0x40
758#define TH_CWR 0x80
759
5c8ce7c9 760/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
82f568fc 761static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
9fb9cbb1
YK		 762{
763 [TH_SYN] = 1,
d3ab4298 764 [TH_SYN|TH_URG] = 1,
d3ab4298 765 [TH_SYN|TH_ACK] = 1,
9fb9cbb1
YK		 766 [TH_RST] = 1,
767 [TH_RST|TH_ACK] = 1,
9fb9cbb1 768 [TH_FIN|TH_ACK] = 1,
5c8ce7c9 769 [TH_FIN|TH_ACK|TH_URG] = 1,
9fb9cbb1 770 [TH_ACK] = 1,
9fb9cbb1 771 [TH_ACK|TH_URG] = 1,
9fb9cbb1
YK		 772};
773
774/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
74c51a14
AD		 775static int tcp_error(struct net *net,
776 struct sk_buff *skb,
9fb9cbb1
YK		 777 unsigned int dataoff,
778 enum ip_conntrack_info *ctinfo,
76108cea 779 u_int8_t pf,
96f6bf82 780 unsigned int hooknum)
9fb9cbb1 781{
82f568fc
JE		 782 const struct tcphdr *th;
783 struct tcphdr _tcph;
9fb9cbb1
YK		 784 unsigned int tcplen = skb->len - dataoff;
785 u_int8_t tcpflags;
786
787 /* Smaller that minimal TCP header? */
788 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
789 if (th == NULL) {
c2a2c7e0 790 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 791 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
792 "nf_ct_tcp: short packet ");
793 return -NF_ACCEPT;
601e68e1
YH		 794 }
795
9fb9cbb1
YK		 796 /* Not whole TCP header or malformed packet */
797 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
c2a2c7e0 798 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 799 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
800 "nf_ct_tcp: truncated/malformed packet ");
801 return -NF_ACCEPT;
802 }
601e68e1 803
9fb9cbb1
YK		 804 /* Checksum invalid? Ignore.
805 * We skip checking packets on the outgoing path
84fa7933 806 * because the checksum is assumed to be correct.
9fb9cbb1
YK		 807 */
808 /* FIXME: Source route IP option packets --RR */
c04d0552 809 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
96f6bf82 810 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
c2a2c7e0 811 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 812 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
813 "nf_ct_tcp: bad TCP checksum ");
814 return -NF_ACCEPT;
815 }
816
817 /* Check TCP flags. */
5c8ce7c9 818 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
9fb9cbb1 819 if (!tcp_valid_flags[tcpflags]) {
c2a2c7e0 820 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 821 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
822 "nf_ct_tcp: invalid TCP flag combination ");
823 return -NF_ACCEPT;
824 }
825
826 return NF_ACCEPT;
827}
828
9fb9cbb1 829/* Returns verdict for packet, or -1 for invalid. */
c88130bc 830static int tcp_packet(struct nf_conn *ct,
9fb9cbb1
YK		 831 const struct sk_buff *skb,
832 unsigned int dataoff,
833 enum ip_conntrack_info ctinfo,
76108cea 834 u_int8_t pf,
9fb9cbb1
YK		 835 unsigned int hooknum)
836{
c2a2c7e0 837 struct net *net = nf_ct_net(ct);
0d53778e 838 struct nf_conntrack_tuple *tuple;
9fb9cbb1
YK		 839 enum tcp_conntrack new_state, old_state;
840 enum ip_conntrack_dir dir;
82f568fc
JE		 841 const struct tcphdr *th;
842 struct tcphdr _tcph;
9fb9cbb1
YK		 843 unsigned long timeout;
844 unsigned int index;
845
846 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
847 BUG_ON(th == NULL);
848
440f0d58 849 spin_lock_bh(&ct->lock);
c88130bc 850 old_state = ct->proto.tcp.state;
9fb9cbb1
YK		 851 dir = CTINFO2DIR(ctinfo);
852 index = get_conntrack_index(th);
853 new_state = tcp_conntracks[dir][index][old_state];
c88130bc 854 tuple = &ct->tuplehash[dir].tuple;
9fb9cbb1
YK		 855
856 switch (new_state) {
17311393
JK		 857 case TCP_CONNTRACK_SYN_SENT:
858 if (old_state < TCP_CONNTRACK_TIME_WAIT)
859 break;
b2155e7f
JK		 860 /* RFC 1122: "When a connection is closed actively,
861 * it MUST linger in TIME-WAIT state for a time 2xMSL
862 * (Maximum Segment Lifetime). However, it MAY accept
863 * a new SYN from the remote TCP to reopen the connection
864 * directly from TIME-WAIT state, if..."
865 * We ignore the conditions because we are in the
866 * TIME-WAIT state anyway.
867 *
868 * Handle aborted connections: we and the server
869 * think there is an existing connection but the client
870 * aborts it and starts a new one.
871 */
872 if (((ct->proto.tcp.seen[dir].flags
873 | ct->proto.tcp.seen[!dir].flags)
874 & IP_CT_TCP_FLAG_CLOSE_INIT)
c88130bc
PM		 875 || (ct->proto.tcp.last_dir == dir
876 && ct->proto.tcp.last_index == TCP_RST_SET)) {
bc34b841
JK		 877 /* Attempt to reopen a closed/aborted connection.
878 * Delete this connection and look up again. */
440f0d58 879 spin_unlock_bh(&ct->lock);
2aec609f 880
6b69fe0c
PM		 881 /* Only repeat if we can actually remove the timer.
882 * Destruction may already be in progress in process
883 * context and we must give it a chance to terminate.
884 */
2aec609f 885 if (nf_ct_kill(ct))
6b69fe0c 886 return -NF_REPEAT;
ec8d5409 887 return NF_DROP;
17311393
JK		 888 }
889 /* Fall through */
9fb9cbb1 890 case TCP_CONNTRACK_IGNORE:
73f30602 891 /* Ignored packets:
b2155e7f
JK		 892 *
893 * Our connection entry may be out of sync, so ignore
894 * packets which may signal the real connection between
895 * the client and the server.
73f30602
JK		 896 *
897 * a) SYN in ORIGINAL
898 * b) SYN/ACK in REPLY
601e68e1 899 * c) ACK in reply direction after initial SYN in original.
b2155e7f
JK		 900 *
901 * If the ignored packet is invalid, the receiver will send
902 * a RST we'll catch below.
73f30602 903 */
9fb9cbb1 904 if (index == TCP_SYNACK_SET
c88130bc
PM		 905 && ct->proto.tcp.last_index == TCP_SYN_SET
906 && ct->proto.tcp.last_dir != dir
907 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
b2155e7f 908 /* b) This SYN/ACK acknowledges a SYN that we earlier
9fb9cbb1
YK		 909 * ignored as invalid. This means that the client and
910 * the server are both in sync, while the firewall is
911 * not. We kill this session and block the SYN/ACK so
601e68e1 912 * that the client cannot but retransmit its SYN and
9fb9cbb1
YK		 913 * thus initiate a clean new session.
914 */
440f0d58 915 spin_unlock_bh(&ct->lock);
c2a2c7e0 916 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 917 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
918 "nf_ct_tcp: killing out of sync session ");
51091764 919 nf_ct_kill(ct);
ec8d5409 920 return NF_DROP;
9fb9cbb1 921 }
c88130bc
PM		 922 ct->proto.tcp.last_index = index;
923 ct->proto.tcp.last_dir = dir;
924 ct->proto.tcp.last_seq = ntohl(th->seq);
925 ct->proto.tcp.last_end =
9fb9cbb1
YK		 926 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
927
440f0d58 928 spin_unlock_bh(&ct->lock);
c2a2c7e0 929 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1 930 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
b2155e7f 931 "nf_ct_tcp: invalid packet ignored ");
9fb9cbb1
YK		 932 return NF_ACCEPT;
933 case TCP_CONNTRACK_MAX:
934 /* Invalid packet */
0d53778e
PM		 935 pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
936 dir, get_conntrack_index(th), old_state);
440f0d58 937 spin_unlock_bh(&ct->lock);
c2a2c7e0 938 if (LOG_INVALID(net, IPPROTO_TCP))
9fb9cbb1
YK		 939 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
940 "nf_ct_tcp: invalid state ");
941 return -NF_ACCEPT;
9fb9cbb1 942 case TCP_CONNTRACK_CLOSE:
bfcaa502
JK		 943 if (index == TCP_RST_SET
944 && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
945 && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
946 /* Invalid RST */
334a47f6 947 spin_unlock_bh(&ct->lock);
bfcaa502
JK		 948 if (LOG_INVALID(net, IPPROTO_TCP))
949 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
950 "nf_ct_tcp: invalid RST ");
951 return -NF_ACCEPT;
952 }
9fb9cbb1 953 if (index == TCP_RST_SET
c88130bc
PM		 954 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
955 && ct->proto.tcp.last_index == TCP_SYN_SET)
956 || (!test_bit(IPS_ASSURED_BIT, &ct->status)
957 && ct->proto.tcp.last_index == TCP_ACK_SET))
958 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
93b1fae4 959 /* RST sent to invalid SYN or ACK we had let through
73f30602
JK		 960 * at a) and c) above:
961 *
962 * a) SYN was in window then
963 * c) we hold a half-open connection.
964 *
965 * Delete our connection entry.
9fb9cbb1 966 * We skip window checking, because packet might ACK
73f30602 967 * segments we ignored. */
9fb9cbb1
YK		 968 goto in_window;
969 }
93b1fae4 970 /* Just fall through */
9fb9cbb1
YK		 971 default:
972 /* Keep compilers happy. */
973 break;
974 }
975
c88130bc 976 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
9fb9cbb1 977 skb, dataoff, th, pf)) {
440f0d58 978 spin_unlock_bh(&ct->lock);
9fb9cbb1
YK		 979 return -NF_ACCEPT;
980 }
981 in_window:
982 /* From now on we have got in-window packets */
c88130bc
PM		 983 ct->proto.tcp.last_index = index;
984 ct->proto.tcp.last_dir = dir;
9fb9cbb1 985
0d53778e 986 pr_debug("tcp_conntracks: ");
3c9fba65 987 nf_ct_dump_tuple(tuple);
0d53778e
PM		 988 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
989 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
990 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
991 old_state, new_state);
9fb9cbb1 992
c88130bc 993 ct->proto.tcp.state = new_state;
9fb9cbb1 994 if (old_state != new_state
d0c1fd7a 995 && new_state == TCP_CONNTRACK_FIN_WAIT)
c88130bc 996 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
ae375044
PM		 997
998 if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans &&
999 tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans)
1000 timeout = nf_ct_tcp_timeout_max_retrans;
1001 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
1002 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
1003 tcp_timeouts[new_state] > nf_ct_tcp_timeout_unacknowledged)
1004 timeout = nf_ct_tcp_timeout_unacknowledged;
1005 else
1006 timeout = tcp_timeouts[new_state];
440f0d58 1007 spin_unlock_bh(&ct->lock);
9fb9cbb1 1008
9fb9cbb1 1009 if (new_state != old_state)
a71996fc 1010 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
9fb9cbb1 1011
c88130bc 1012 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
9fb9cbb1
YK		 1013 /* If only reply is a RST, we can consider ourselves not to
1014 have an established connection: this is a fairly common
1015 problem case, so we can delete the conntrack
1016 immediately. --RR */
1017 if (th->rst) {
718d4ad9 1018 nf_ct_kill_acct(ct, ctinfo, skb);
9fb9cbb1
YK		 1019 return NF_ACCEPT;
1020 }
c88130bc 1021 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
9fb9cbb1
YK		 1022 && (old_state == TCP_CONNTRACK_SYN_RECV
1023 || old_state == TCP_CONNTRACK_ESTABLISHED)
1024 && new_state == TCP_CONNTRACK_ESTABLISHED) {
601e68e1
YH		 1025 /* Set ASSURED if we see see valid ack in ESTABLISHED
1026 after SYN_RECV or a valid answer for a picked up
9fb9cbb1 1027 connection. */
c88130bc 1028 set_bit(IPS_ASSURED_BIT, &ct->status);
a71996fc 1029 nf_conntrack_event_cache(IPCT_STATUS, ct);
9fb9cbb1 1030 }
c88130bc 1031 nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
9fb9cbb1
YK		 1032
1033 return NF_ACCEPT;
1034}
601e68e1 1035
9fb9cbb1 1036/* Called when a new connection for this protocol found. */
09f263cd
JE		 1037static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
1038 unsigned int dataoff)
9fb9cbb1
YK		 1039{
1040 enum tcp_conntrack new_state;
82f568fc
JE		 1041 const struct tcphdr *th;
1042 struct tcphdr _tcph;
1043 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
1044 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
9fb9cbb1
YK		 1045
1046 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
1047 BUG_ON(th == NULL);
1048
1049 /* Don't need lock here: this conntrack not in circulation yet */
1050 new_state
1051 = tcp_conntracks[0][get_conntrack_index(th)]
1052 [TCP_CONNTRACK_NONE];
1053
1054 /* Invalid: delete conntrack */
1055 if (new_state >= TCP_CONNTRACK_MAX) {
0d53778e 1056 pr_debug("nf_ct_tcp: invalid new deleting.\n");
09f263cd 1057 return false;
9fb9cbb1
YK		 1058 }
1059
1060 if (new_state == TCP_CONNTRACK_SYN_SENT) {
1061 /* SYN packet */
c88130bc 1062 ct->proto.tcp.seen[0].td_end =
9fb9cbb1
YK		 1063 segment_seq_plus_len(ntohl(th->seq), skb->len,
1064 dataoff, th);
c88130bc
PM		 1065 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1066 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1067 ct->proto.tcp.seen[0].td_maxwin = 1;
1068 ct->proto.tcp.seen[0].td_maxend =
1069 ct->proto.tcp.seen[0].td_end;
1070
1071 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
1072 ct->proto.tcp.seen[1].flags = 0;
9fb9cbb1
YK		 1073 } else if (nf_ct_tcp_loose == 0) {
1074 /* Don't try to pick up connections. */
09f263cd 1075 return false;
9fb9cbb1
YK		 1076 } else {
1077 /*
1078 * We are in the middle of a connection,
1079 * its history is lost for us.
1080 * Let's try to use the data from the packet.
1081 */
c88130bc 1082 ct->proto.tcp.seen[0].td_end =
9fb9cbb1
YK		 1083 segment_seq_plus_len(ntohl(th->seq), skb->len,
1084 dataoff, th);
c88130bc
PM		 1085 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1086 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1087 ct->proto.tcp.seen[0].td_maxwin = 1;
1088 ct->proto.tcp.seen[0].td_maxend =
1089 ct->proto.tcp.seen[0].td_end +
1090 ct->proto.tcp.seen[0].td_maxwin;
1091 ct->proto.tcp.seen[0].td_scale = 0;
9fb9cbb1 1092
a09113c2
PM		 1093 /* We assume SACK and liberal window checking to handle
1094 * window scaling */
c88130bc
PM		 1095 ct->proto.tcp.seen[0].flags =
1096 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1097 IP_CT_TCP_FLAG_BE_LIBERAL;
9fb9cbb1 1098 }
601e68e1 1099
c88130bc
PM		 1100 ct->proto.tcp.seen[1].td_end = 0;
1101 ct->proto.tcp.seen[1].td_maxend = 0;
874ab923 1102 ct->proto.tcp.seen[1].td_maxwin = 0;
c88130bc 1103 ct->proto.tcp.seen[1].td_scale = 0;
9fb9cbb1
YK		 1104
1105 /* tcp_packet will set them */
c88130bc
PM		 1106 ct->proto.tcp.state = TCP_CONNTRACK_NONE;
1107 ct->proto.tcp.last_index = TCP_NONE_SET;
601e68e1 1108
0d53778e
PM		 1109 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1110 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1111 sender->td_end, sender->td_maxend, sender->td_maxwin,
1112 sender->td_scale,
1113 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1114 receiver->td_scale);
09f263cd 1115 return true;
9fb9cbb1 1116}
c1d10adb 1117
e281db5c 1118#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
c1d10adb
PNA		 1119
1120#include <linux/netfilter/nfnetlink.h>
1121#include <linux/netfilter/nfnetlink_conntrack.h>
1122
fdf70832 1123static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
440f0d58 1124 struct nf_conn *ct)
c1d10adb 1125{
df6fb868 1126 struct nlattr *nest_parms;
c8e2078c 1127 struct nf_ct_tcp_flags tmp = {};
601e68e1 1128
440f0d58 1129 spin_lock_bh(&ct->lock);
df6fb868
PM		 1130 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED);
1131 if (!nest_parms)
1132 goto nla_put_failure;
1133
77236b6e 1134 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state);
c8e2078c 1135
77236b6e
PM		 1136 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
1137 ct->proto.tcp.seen[0].td_scale);
c8e2078c 1138
77236b6e
PM		 1139 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY,
1140 ct->proto.tcp.seen[1].td_scale);
c8e2078c
PNA		 1141
1142 tmp.flags = ct->proto.tcp.seen[0].flags;
df6fb868 1143 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
c8e2078c
PNA		 1144 sizeof(struct nf_ct_tcp_flags), &tmp);
1145
1146 tmp.flags = ct->proto.tcp.seen[1].flags;
df6fb868 1147 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
c8e2078c 1148 sizeof(struct nf_ct_tcp_flags), &tmp);
440f0d58 1149 spin_unlock_bh(&ct->lock);
c1d10adb 1150
df6fb868 1151 nla_nest_end(skb, nest_parms);
c1d10adb
PNA		 1152
1153 return 0;
1154
df6fb868 1155nla_put_failure:
440f0d58 1156 spin_unlock_bh(&ct->lock);
c1d10adb
PNA		 1157 return -1;
1158}
1159
f73e924c
PM		 1160static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
1161 [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
1162 [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1163 [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
1164 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
1165 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
c1d10adb
PNA		 1166};
1167
fdf70832 1168static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
c1d10adb 1169{
2f0d2f10 1170 struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
df6fb868 1171 struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
f73e924c 1172 int err;
c1d10adb
PNA		 1173
1174 /* updates could not contain anything about the private
1175 * protocol info, in that case skip the parsing */
2f0d2f10 1176 if (!pattr)
c1d10adb
PNA		 1177 return 0;
1178
2f0d2f10 1179 err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr, tcp_nla_policy);
f73e924c
PM		 1180 if (err < 0)
1181 return err;
c1d10adb 1182
5f7da4d2
PM		 1183 if (tb[CTA_PROTOINFO_TCP_STATE] &&
1184 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
c1d10adb
PNA		 1185 return -EINVAL;
1186
440f0d58 1187 spin_lock_bh(&ct->lock);
5f7da4d2
PM		 1188 if (tb[CTA_PROTOINFO_TCP_STATE])
1189 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
c8e2078c 1190
df6fb868 1191 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
c8e2078c 1192 struct nf_ct_tcp_flags *attr =
df6fb868 1193 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
c8e2078c
PNA		 1194 ct->proto.tcp.seen[0].flags &= ~attr->mask;
1195 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
1196 }
1197
df6fb868 1198 if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
c8e2078c 1199 struct nf_ct_tcp_flags *attr =
df6fb868 1200 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
c8e2078c
PNA		 1201 ct->proto.tcp.seen[1].flags &= ~attr->mask;
1202 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
1203 }
1204
df6fb868
PM		 1205 if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
1206 tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
c8e2078c
PNA		 1207 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
1208 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
77236b6e
PM		 1209 ct->proto.tcp.seen[0].td_scale =
1210 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
1211 ct->proto.tcp.seen[1].td_scale =
1212 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
c8e2078c 1213 }
440f0d58 1214 spin_unlock_bh(&ct->lock);
c1d10adb
PNA		 1215
1216 return 0;
1217}
a400c30e
HE		 1218
1219static int tcp_nlattr_size(void)
1220{
1221 return nla_total_size(0) /* CTA_PROTOINFO_TCP */
1222 + nla_policy_len(tcp_nla_policy, CTA_PROTOINFO_TCP_MAX + 1);
1223}
1224
1225static int tcp_nlattr_tuple_size(void)
1226{
1227 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
1228}
c1d10adb 1229#endif
933a41e7
PM		 1230
1231#ifdef CONFIG_SYSCTL
1232static unsigned int tcp_sysctl_table_users;
1233static struct ctl_table_header *tcp_sysctl_header;
1234static struct ctl_table tcp_sysctl_table[] = {
1235 {
933a41e7 1236 .procname = "nf_conntrack_tcp_timeout_syn_sent",
2d646286 1237 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
933a41e7
PM		 1238 .maxlen = sizeof(unsigned int),
1239 .mode = 0644,
6d9f239a 1240 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1241 },
1242 {
933a41e7 1243 .procname = "nf_conntrack_tcp_timeout_syn_recv",
2d646286 1244 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
933a41e7
PM		 1245 .maxlen = sizeof(unsigned int),
1246 .mode = 0644,
6d9f239a 1247 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1248 },
1249 {
933a41e7 1250 .procname = "nf_conntrack_tcp_timeout_established",
2d646286 1251 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
933a41e7
PM		 1252 .maxlen = sizeof(unsigned int),
1253 .mode = 0644,
6d9f239a 1254 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1255 },
1256 {
933a41e7 1257 .procname = "nf_conntrack_tcp_timeout_fin_wait",
2d646286 1258 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
933a41e7
PM		 1259 .maxlen = sizeof(unsigned int),
1260 .mode = 0644,
6d9f239a 1261 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1262 },
1263 {
933a41e7 1264 .procname = "nf_conntrack_tcp_timeout_close_wait",
2d646286 1265 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
933a41e7
PM		 1266 .maxlen = sizeof(unsigned int),
1267 .mode = 0644,
6d9f239a 1268 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1269 },
1270 {
933a41e7 1271 .procname = "nf_conntrack_tcp_timeout_last_ack",
2d646286 1272 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
933a41e7
PM		 1273 .maxlen = sizeof(unsigned int),
1274 .mode = 0644,
6d9f239a 1275 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1276 },
1277 {
933a41e7 1278 .procname = "nf_conntrack_tcp_timeout_time_wait",
2d646286 1279 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
933a41e7
PM		 1280 .maxlen = sizeof(unsigned int),
1281 .mode = 0644,
6d9f239a 1282 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1283 },
1284 {
933a41e7 1285 .procname = "nf_conntrack_tcp_timeout_close",
2d646286 1286 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
933a41e7
PM		 1287 .maxlen = sizeof(unsigned int),
1288 .mode = 0644,
6d9f239a 1289 .proc_handler = proc_dointvec_jiffies,
933a41e7
PM		 1290 },
1291 {
933a41e7
PM		 1292 .procname = "nf_conntrack_tcp_timeout_max_retrans",
1293 .data = &nf_ct_tcp_timeout_max_retrans,
1294 .maxlen = sizeof(unsigned int),
1295 .mode = 0644,
6d9f239a 1296 .proc_handler = proc_dointvec_jiffies,
933a41e7 1297 },
ae375044
PM		 1298 {
1299 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
1300 .data = &nf_ct_tcp_timeout_unacknowledged,
1301 .maxlen = sizeof(unsigned int),
1302 .mode = 0644,
6d9f239a 1303 .proc_handler = proc_dointvec_jiffies,
ae375044 1304 },
933a41e7 1305 {
933a41e7
PM		 1306 .procname = "nf_conntrack_tcp_loose",
1307 .data = &nf_ct_tcp_loose,
1308 .maxlen = sizeof(unsigned int),
1309 .mode = 0644,
6d9f239a 1310 .proc_handler = proc_dointvec,
933a41e7
PM		 1311 },
1312 {
933a41e7
PM		 1313 .procname = "nf_conntrack_tcp_be_liberal",
1314 .data = &nf_ct_tcp_be_liberal,
1315 .maxlen = sizeof(unsigned int),
1316 .mode = 0644,
6d9f239a 1317 .proc_handler = proc_dointvec,
933a41e7
PM		 1318 },
1319 {
933a41e7
PM		 1320 .procname = "nf_conntrack_tcp_max_retrans",
1321 .data = &nf_ct_tcp_max_retrans,
1322 .maxlen = sizeof(unsigned int),
1323 .mode = 0644,
6d9f239a 1324 .proc_handler = proc_dointvec,
933a41e7 1325 },
f8572d8f 1326 { }
933a41e7 1327};
a999e683
PM		 1328
1329#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1330static struct ctl_table tcp_compat_sysctl_table[] = {
1331 {
a999e683 1332 .procname = "ip_conntrack_tcp_timeout_syn_sent",
2d646286 1333 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
a999e683
PM		 1334 .maxlen = sizeof(unsigned int),
1335 .mode = 0644,
6d9f239a 1336 .proc_handler = proc_dointvec_jiffies,
a999e683 1337 },
874ab923
JK		 1338 {
1339 .procname = "ip_conntrack_tcp_timeout_syn_sent2",
1340 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
1341 .maxlen = sizeof(unsigned int),
1342 .mode = 0644,
1343 .proc_handler = proc_dointvec_jiffies,
1344 },
a999e683 1345 {
a999e683 1346 .procname = "ip_conntrack_tcp_timeout_syn_recv",
2d646286 1347 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
a999e683
PM		 1348 .maxlen = sizeof(unsigned int),
1349 .mode = 0644,
6d9f239a 1350 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1351 },
1352 {
a999e683 1353 .procname = "ip_conntrack_tcp_timeout_established",
2d646286 1354 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
a999e683
PM		 1355 .maxlen = sizeof(unsigned int),
1356 .mode = 0644,
6d9f239a 1357 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1358 },
1359 {
a999e683 1360 .procname = "ip_conntrack_tcp_timeout_fin_wait",
2d646286 1361 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
a999e683
PM		 1362 .maxlen = sizeof(unsigned int),
1363 .mode = 0644,
6d9f239a 1364 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1365 },
1366 {
a999e683 1367 .procname = "ip_conntrack_tcp_timeout_close_wait",
2d646286 1368 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
a999e683
PM		 1369 .maxlen = sizeof(unsigned int),
1370 .mode = 0644,
6d9f239a 1371 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1372 },
1373 {
a999e683 1374 .procname = "ip_conntrack_tcp_timeout_last_ack",
2d646286 1375 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
a999e683
PM		 1376 .maxlen = sizeof(unsigned int),
1377 .mode = 0644,
6d9f239a 1378 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1379 },
1380 {
a999e683 1381 .procname = "ip_conntrack_tcp_timeout_time_wait",
2d646286 1382 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
a999e683
PM		 1383 .maxlen = sizeof(unsigned int),
1384 .mode = 0644,
6d9f239a 1385 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1386 },
1387 {
a999e683 1388 .procname = "ip_conntrack_tcp_timeout_close",
2d646286 1389 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
a999e683
PM		 1390 .maxlen = sizeof(unsigned int),
1391 .mode = 0644,
6d9f239a 1392 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1393 },
1394 {
a999e683
PM		 1395 .procname = "ip_conntrack_tcp_timeout_max_retrans",
1396 .data = &nf_ct_tcp_timeout_max_retrans,
1397 .maxlen = sizeof(unsigned int),
1398 .mode = 0644,
6d9f239a 1399 .proc_handler = proc_dointvec_jiffies,
a999e683
PM		 1400 },
1401 {
a999e683
PM		 1402 .procname = "ip_conntrack_tcp_loose",
1403 .data = &nf_ct_tcp_loose,
1404 .maxlen = sizeof(unsigned int),
1405 .mode = 0644,
6d9f239a 1406 .proc_handler = proc_dointvec,
a999e683
PM		 1407 },
1408 {
a999e683
PM		 1409 .procname = "ip_conntrack_tcp_be_liberal",
1410 .data = &nf_ct_tcp_be_liberal,
1411 .maxlen = sizeof(unsigned int),
1412 .mode = 0644,
6d9f239a 1413 .proc_handler = proc_dointvec,
a999e683
PM		 1414 },
1415 {
a999e683
PM		 1416 .procname = "ip_conntrack_tcp_max_retrans",
1417 .data = &nf_ct_tcp_max_retrans,
1418 .maxlen = sizeof(unsigned int),
1419 .mode = 0644,
6d9f239a 1420 .proc_handler = proc_dointvec,
a999e683 1421 },
f8572d8f 1422 { }
a999e683
PM		 1423};
1424#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
933a41e7
PM		 1425#endif /* CONFIG_SYSCTL */
1426
61075af5 1427struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
9fb9cbb1
YK		 1428{
1429 .l3proto = PF_INET,
605dcad6 1430 .l4proto = IPPROTO_TCP,
9fb9cbb1
YK		 1431 .name = "tcp",
1432 .pkt_to_tuple = tcp_pkt_to_tuple,
1433 .invert_tuple = tcp_invert_tuple,
1434 .print_tuple = tcp_print_tuple,
1435 .print_conntrack = tcp_print_conntrack,
1436 .packet = tcp_packet,
1437 .new = tcp_new,
96f6bf82 1438 .error = tcp_error,
e281db5c 1439#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
fdf70832 1440 .to_nlattr = tcp_to_nlattr,
a400c30e 1441 .nlattr_size = tcp_nlattr_size,
fdf70832
PM		 1442 .from_nlattr = nlattr_to_tcp,
1443 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1444 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
a400c30e 1445 .nlattr_tuple_size = tcp_nlattr_tuple_size,
f73e924c 1446 .nla_policy = nf_ct_port_nla_policy,
c1d10adb 1447#endif
933a41e7
PM		 1448#ifdef CONFIG_SYSCTL
1449 .ctl_table_users = &tcp_sysctl_table_users,
1450 .ctl_table_header = &tcp_sysctl_header,
1451 .ctl_table = tcp_sysctl_table,
a999e683
PM		 1452#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1453 .ctl_compat_table = tcp_compat_sysctl_table,
1454#endif
933a41e7 1455#endif
9fb9cbb1 1456};
13b18339 1457EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
9fb9cbb1 1458
61075af5 1459struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
9fb9cbb1
YK		 1460{
1461 .l3proto = PF_INET6,
605dcad6 1462 .l4proto = IPPROTO_TCP,
9fb9cbb1
YK		 1463 .name = "tcp",
1464 .pkt_to_tuple = tcp_pkt_to_tuple,
1465 .invert_tuple = tcp_invert_tuple,
1466 .print_tuple = tcp_print_tuple,
1467 .print_conntrack = tcp_print_conntrack,
1468 .packet = tcp_packet,
1469 .new = tcp_new,
96f6bf82 1470 .error = tcp_error,
e281db5c 1471#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
fdf70832 1472 .to_nlattr = tcp_to_nlattr,
a400c30e 1473 .nlattr_size = tcp_nlattr_size,
fdf70832
PM		 1474 .from_nlattr = nlattr_to_tcp,
1475 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1476 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
a400c30e 1477 .nlattr_tuple_size = tcp_nlattr_tuple_size,
f73e924c 1478 .nla_policy = nf_ct_port_nla_policy,
c1d10adb 1479#endif
933a41e7
PM		 1480#ifdef CONFIG_SYSCTL
1481 .ctl_table_users = &tcp_sysctl_table_users,
1482 .ctl_table_header = &tcp_sysctl_header,
1483 .ctl_table = tcp_sysctl_table,
1484#endif
9fb9cbb1 1485};
13b18339 1486EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
Clone of davem's net-next-2.6 tree