Lines Matching refs:ct
260 static void tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct) in tcp_print_conntrack() argument
262 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) in tcp_print_conntrack()
265 seq_printf(s, "%s ", tcp_conntrack_names[ct->proto.tcp.state]); in tcp_print_conntrack()
449 static bool tcp_in_window(const struct nf_conn *ct, in tcp_in_window() argument
457 struct net *net = nf_ct_net(ct); in tcp_in_window()
461 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; in tcp_in_window()
480 receiver_offset = nf_ct_seq_offset(ct, !dir, ack - 1); in tcp_in_window()
673 nf_ct_l4proto_log_invalid(skb, ct, in tcp_in_window()
736 if (state->net->ct.sysctl_checksum && in tcp_error()
753 static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, in tcp_new() argument
758 struct net *net = nf_ct_net(ct); in tcp_new()
760 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0]; in tcp_new()
761 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1]; in tcp_new()
773 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp)); in tcp_new()
775 ct->proto.tcp.seen[0].td_end = in tcp_new()
778 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); in tcp_new()
779 if (ct->proto.tcp.seen[0].td_maxwin == 0) in tcp_new()
780 ct->proto.tcp.seen[0].td_maxwin = 1; in tcp_new()
781 ct->proto.tcp.seen[0].td_maxend = in tcp_new()
782 ct->proto.tcp.seen[0].td_end; in tcp_new()
784 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]); in tcp_new()
789 memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp)); in tcp_new()
795 ct->proto.tcp.seen[0].td_end = in tcp_new()
798 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); in tcp_new()
799 if (ct->proto.tcp.seen[0].td_maxwin == 0) in tcp_new()
800 ct->proto.tcp.seen[0].td_maxwin = 1; in tcp_new()
801 ct->proto.tcp.seen[0].td_maxend = in tcp_new()
802 ct->proto.tcp.seen[0].td_end + in tcp_new()
803 ct->proto.tcp.seen[0].td_maxwin; in tcp_new()
807 ct->proto.tcp.seen[0].flags = in tcp_new()
808 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | in tcp_new()
813 ct->proto.tcp.last_index = TCP_NONE_SET; in tcp_new()
826 int nf_conntrack_tcp_packet(struct nf_conn *ct, in nf_conntrack_tcp_packet() argument
832 struct net *net = nf_ct_net(ct); in nf_conntrack_tcp_packet()
849 if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th)) in nf_conntrack_tcp_packet()
852 spin_lock_bh(&ct->lock); in nf_conntrack_tcp_packet()
853 old_state = ct->proto.tcp.state; in nf_conntrack_tcp_packet()
857 tuple = &ct->tuplehash[dir].tuple; in nf_conntrack_tcp_packet()
875 if (((ct->proto.tcp.seen[dir].flags in nf_conntrack_tcp_packet()
876 | ct->proto.tcp.seen[!dir].flags) in nf_conntrack_tcp_packet()
878 || (ct->proto.tcp.last_dir == dir in nf_conntrack_tcp_packet()
879 && ct->proto.tcp.last_index == TCP_RST_SET)) { in nf_conntrack_tcp_packet()
882 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
888 if (nf_ct_kill(ct)) in nf_conntrack_tcp_packet()
908 && ct->proto.tcp.last_index == TCP_SYN_SET in nf_conntrack_tcp_packet()
909 && ct->proto.tcp.last_dir != dir in nf_conntrack_tcp_packet()
910 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { in nf_conntrack_tcp_packet()
919 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end = in nf_conntrack_tcp_packet()
920 ct->proto.tcp.last_end; in nf_conntrack_tcp_packet()
921 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend = in nf_conntrack_tcp_packet()
922 ct->proto.tcp.last_end; in nf_conntrack_tcp_packet()
923 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin = in nf_conntrack_tcp_packet()
924 ct->proto.tcp.last_win == 0 ? in nf_conntrack_tcp_packet()
925 1 : ct->proto.tcp.last_win; in nf_conntrack_tcp_packet()
926 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale = in nf_conntrack_tcp_packet()
927 ct->proto.tcp.last_wscale; in nf_conntrack_tcp_packet()
928 ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; in nf_conntrack_tcp_packet()
929 ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags = in nf_conntrack_tcp_packet()
930 ct->proto.tcp.last_flags; in nf_conntrack_tcp_packet()
931 memset(&ct->proto.tcp.seen[dir], 0, in nf_conntrack_tcp_packet()
935 ct->proto.tcp.last_index = index; in nf_conntrack_tcp_packet()
936 ct->proto.tcp.last_dir = dir; in nf_conntrack_tcp_packet()
937 ct->proto.tcp.last_seq = ntohl(th->seq); in nf_conntrack_tcp_packet()
938 ct->proto.tcp.last_end = in nf_conntrack_tcp_packet()
940 ct->proto.tcp.last_win = ntohs(th->window); in nf_conntrack_tcp_packet()
952 ct->proto.tcp.last_flags = in nf_conntrack_tcp_packet()
953 ct->proto.tcp.last_wscale = 0; in nf_conntrack_tcp_packet()
956 ct->proto.tcp.last_flags |= in nf_conntrack_tcp_packet()
958 ct->proto.tcp.last_wscale = seen.td_scale; in nf_conntrack_tcp_packet()
961 ct->proto.tcp.last_flags |= in nf_conntrack_tcp_packet()
969 ct->proto.tcp.last_flags |= in nf_conntrack_tcp_packet()
972 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
973 nf_ct_l4proto_log_invalid(skb, ct, in nf_conntrack_tcp_packet()
985 if (nfct_synproxy(ct) && old_state == TCP_CONNTRACK_SYN_SENT && in nf_conntrack_tcp_packet()
987 ct->proto.tcp.last_dir == IP_CT_DIR_ORIGINAL && in nf_conntrack_tcp_packet()
988 ct->proto.tcp.seen[dir].td_end - 1 == ntohl(th->seq)) { in nf_conntrack_tcp_packet()
990 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
997 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
998 nf_ct_l4proto_log_invalid(skb, ct, "invalid state"); in nf_conntrack_tcp_packet()
1007 ct->proto.tcp.last_dir != dir && in nf_conntrack_tcp_packet()
1008 ct->proto.tcp.last_index == TCP_SYN_SET && in nf_conntrack_tcp_packet()
1009 (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) { in nf_conntrack_tcp_packet()
1011 ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; in nf_conntrack_tcp_packet()
1012 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
1013 nf_ct_l4proto_log_invalid(skb, ct, "challenge-ack ignored"); in nf_conntrack_tcp_packet()
1021 ct->proto.tcp.last_flags |= IP_CT_TCP_SIMULTANEOUS_OPEN; in nf_conntrack_tcp_packet()
1025 ct->proto.tcp.last_flags & IP_CT_TCP_SIMULTANEOUS_OPEN) in nf_conntrack_tcp_packet()
1032 if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) { in nf_conntrack_tcp_packet()
1035 if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) { in nf_conntrack_tcp_packet()
1037 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
1038 nf_ct_l4proto_log_invalid(skb, ct, "invalid rst"); in nf_conntrack_tcp_packet()
1042 if (!nf_conntrack_tcp_established(ct) || in nf_conntrack_tcp_packet()
1043 seq == ct->proto.tcp.seen[!dir].td_maxack) in nf_conntrack_tcp_packet()
1050 if (ct->proto.tcp.last_index == TCP_ACK_SET && in nf_conntrack_tcp_packet()
1051 ct->proto.tcp.last_dir == dir && in nf_conntrack_tcp_packet()
1052 seq == ct->proto.tcp.last_end) in nf_conntrack_tcp_packet()
1060 if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) in nf_conntrack_tcp_packet()
1061 && ct->proto.tcp.last_index == TCP_SYN_SET) in nf_conntrack_tcp_packet()
1062 || (!test_bit(IPS_ASSURED_BIT, &ct->status) in nf_conntrack_tcp_packet()
1063 && ct->proto.tcp.last_index == TCP_ACK_SET)) in nf_conntrack_tcp_packet()
1064 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { in nf_conntrack_tcp_packet()
1082 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index, in nf_conntrack_tcp_packet()
1084 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
1089 ct->proto.tcp.last_index = index; in nf_conntrack_tcp_packet()
1090 ct->proto.tcp.last_dir = dir; in nf_conntrack_tcp_packet()
1099 ct->proto.tcp.state = new_state; in nf_conntrack_tcp_packet()
1102 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; in nf_conntrack_tcp_packet()
1104 timeouts = nf_ct_timeout_lookup(ct); in nf_conntrack_tcp_packet()
1108 if (ct->proto.tcp.retrans >= tn->tcp_max_retrans && in nf_conntrack_tcp_packet()
1113 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) & in nf_conntrack_tcp_packet()
1117 else if (ct->proto.tcp.last_win == 0 && in nf_conntrack_tcp_packet()
1122 spin_unlock_bh(&ct->lock); in nf_conntrack_tcp_packet()
1125 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); in nf_conntrack_tcp_packet()
1127 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { in nf_conntrack_tcp_packet()
1133 nf_ct_kill_acct(ct, ctinfo, skb); in nf_conntrack_tcp_packet()
1142 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status) in nf_conntrack_tcp_packet()
1149 set_bit(IPS_ASSURED_BIT, &ct->status); in nf_conntrack_tcp_packet()
1150 nf_conntrack_event_cache(IPCT_ASSURED, ct); in nf_conntrack_tcp_packet()
1152 nf_ct_refresh_acct(ct, ctinfo, skb, timeout); in nf_conntrack_tcp_packet()
1157 static bool tcp_can_early_drop(const struct nf_conn *ct) in tcp_can_early_drop() argument
1159 switch (ct->proto.tcp.state) { in tcp_can_early_drop()
1179 struct nf_conn *ct, bool destroy) in tcp_to_nlattr() argument
1184 spin_lock_bh(&ct->lock); in tcp_to_nlattr()
1189 if (nla_put_u8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state)) in tcp_to_nlattr()
1196 ct->proto.tcp.seen[0].td_scale) || in tcp_to_nlattr()
1198 ct->proto.tcp.seen[1].td_scale)) in tcp_to_nlattr()
1201 tmp.flags = ct->proto.tcp.seen[0].flags; in tcp_to_nlattr()
1206 tmp.flags = ct->proto.tcp.seen[1].flags; in tcp_to_nlattr()
1211 spin_unlock_bh(&ct->lock); in tcp_to_nlattr()
1217 spin_unlock_bh(&ct->lock); in tcp_to_nlattr()
1235 static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct) in nlattr_to_tcp() argument
1255 spin_lock_bh(&ct->lock); in nlattr_to_tcp()
1257 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]); in nlattr_to_tcp()
1262 ct->proto.tcp.seen[0].flags &= ~attr->mask; in nlattr_to_tcp()
1263 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask; in nlattr_to_tcp()
1269 ct->proto.tcp.seen[1].flags &= ~attr->mask; in nlattr_to_tcp()
1270 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask; in nlattr_to_tcp()
1275 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE && in nlattr_to_tcp()
1276 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) { in nlattr_to_tcp()
1277 ct->proto.tcp.seen[0].td_scale = in nlattr_to_tcp()
1279 ct->proto.tcp.seen[1].td_scale = in nlattr_to_tcp()
1282 spin_unlock_bh(&ct->lock); in nlattr_to_tcp()