From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Mon, 30 Jun 2008 19:41:30 +0000 (-0700)
Subject: netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
X-Git-Tag: v2.6.26-rc9~84^2~9
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5;p=pandora-kernel.git

netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK

Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on
the netfilter mailing list (see the thread "Weird nat/conntrack Problem
with PASV FTP upload"). He provided tcpdump recordings which helped to
find a long lingering bug in conntrack.

In TCP connection tracking, checking the lower bound of valid ACK could
lead to mark valid packets as INVALID because:

 - We have got a "higher or equal" inequality, but the test checked
   the "higher" condition only; fixed.
 - If the packet contains a SACK option, it could occur that the ACK
   value was before the left edge of our (S)ACK "window": if a previous
   packet from the other party intersected the right edge of the window
   of the receiver, we could move forward the window parameters beyond
   accepting a valid ack. Therefore in this patch we check the rightmost
   SACK edge instead of the ACK value in the lower bound of valid (S)ACK
   test.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

Reading git-diff-tree failed