[PATCH 2/2 nf] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

Mon, 05 Sep 2016 08:03:41 -0700 

From: Gao Feng <f...@ikuai8.com>

It is valid that the TCP RST packet which does not set ack flag, and bytes
of ack number are zero. For these RST packets, seqadj could not adjust the
ack number.

Signed-off-by: Gao Feng <f...@ikuai8.com>
---
 net/netfilter/nf_conntrack_seqadj.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/net/netfilter/nf_conntrack_seqadj.c 
b/net/netfilter/nf_conntrack_seqadj.c
index 7f8d814..65bb4a6 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -182,30 +182,34 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
 
        tcph = (void *)skb->data + protoff;
        spin_lock_bh(&ct->lock);
+
        if (after(ntohl(tcph->seq), this_way->correction_pos))
                seqoff = this_way->offset_after;
        else
                seqoff = this_way->offset_before;
 
-       if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
-                 other_way->correction_pos))
-               ackoff = other_way->offset_after;
-       else
-               ackoff = other_way->offset_before;
-
        newseq = htonl(ntohl(tcph->seq) + seqoff);
-       newack = htonl(ntohl(tcph->ack_seq) - ackoff);
-
        inet_proto_csum_replace4(&tcph->check, skb, tcph->seq, newseq, false);
-       inet_proto_csum_replace4(&tcph->check, skb, tcph->ack_seq, newack,
-                                false);
-
-       pr_debug("Adjusting sequence number from %u->%u, ack from %u->%u\n",
-                ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
-                ntohl(newack));
 
+       pr_debug("Adjusting sequence number from %u->%u\n",
+                ntohl(tcph->seq), ntohl(newseq));
        tcph->seq = newseq;
-       tcph->ack_seq = newack;
+
+       if (likely(tcph->ack)) {
+               if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
+                         other_way->correction_pos))
+                       ackoff = other_way->offset_after;
+               else
+                       ackoff = other_way->offset_before;
+
+               newack = htonl(ntohl(tcph->ack_seq) - ackoff);
+               inet_proto_csum_replace4(&tcph->check, skb, tcph->ack_seq,
+                                        newack, false);
+
+               pr_debug("Adjusting ack number from %u->%u\n",
+                        ntohl(tcph->ack_seq), ntohl(newack));
+               tcph->ack_seq = newack;
+       }
 
        res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
        spin_unlock_bh(&ct->lock);
-- 
1.9.1

Reply via email to