conntrack patch
From kadlec@blackhole.kfki.hu Mon Sep 17 10:22:33 2001
Date: Tue, 18 Jul 2000 11:58:37 +0200 (CEST)
From: Jozsef Kadlecsik
To: Multiple recipients of list NETFILTER
Subject: Re: technical tests on netfiler under 2.4.0-test2
On Tue, 18 Jul 2000 bof@oknodo.bof.de wrote:
> > > Doing my echo connection from a blackhole-routed client, I now see
> > > an ESTABLISHED [UNREPLIED] conntrack with a nice short timeout.
> >
> > The problem is that the nice short timeout is due to a bug in my patch
> > and not a feature: I forgot to update the timeout value of the connection
> > entry. :-(
>
> Oops. Well, but it works! :)
>
> Where do you think the current code breaks? I have it on the suspect server
> since yesterday morning. All expected connections seem to work, with proper
> timeouts. Do you have an idea what type of TCP protocol / interaction
> is affected negatively by your 'bug'? Would you advise against production
> use, and prefer the stock test5-pre1 stuff?
The connections now have only 2 minutes to finish the 3way handshake,
which is too short on delayed lines. The resources are wasted:
- SYN packet arrives -> entry in connection table created,
timer started
- SYN/ACK packet arrives -> entry updated but timer isn't
- ACK is in transit... -> entry deleted
- ...ACK arrives -> new entry created
Sorry for not releasing a fixed patch, but I'm working on implementing
real stateful TCP filtering based on Guido van Rooij's article and the
fixed 3way handshake patch is integrated into it. (The code is ready but
I need time to test it.)
> > For nice short timeouts at the SYN SENT/RECEIVED sates, the TCP state
> > transition table and timeout values must be revised - and those are
> > complex!
>
> Yup. That's why I repeat this stuff is a bit over my head :)
> Regarding my report from yesterday, something is clearly amiss,
> with the TCP stack seeing the blackholed connection as SYN_RECV, but
> the conntrack saying it's ESTABLISHED. Right?
conntrack is a generic framework. It has no knowledge on the subleties of
the TCP protocol, like the SYN_RECV state. conntrack knows about - and can
display - only two states: NEW or ESTABLISHED.