From: Marcelo Leitner <mleitner@redhat.com>
Date: Mon, 13 Oct 2014 16:09:28 +0000 (-0300)
Subject: netfilter: nf_conntrack: allow server to become a client in TW handling
X-Git-Tag: omap-for-v3.19/fixes-not-urgent-part1~25^2~34^2~7
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e37ad9fd636071e45368d1d9cc3b7b421281ce7f;p=pandora-kernel.git

netfilter: nf_conntrack: allow server to become a client in TW handling

When a port that was used to listen for inbound connections gets closed
and reused for outgoing connections (like rsh ends up doing for stderr
flow), current we may reject the SYN/ACK packet for the new connection
because tcp_conntracks states forbirds a port to become a client while
there is still a TIME_WAIT entry in there for it.

As TCP may expire the TIME_WAIT socket in 60s and conntrack's timeout
for it is 120s, there is a ~60s window that the application can end up
opening a port that conntrack will end up blocking.

This patch fixes this by simply allowing such state transition: if we
see a SYN, in TIME_WAIT state, on REPLY direction, move it to sSS. Note
that the rest of the code already handles this situation, more
specificly in tcp_packet(), first switch clause.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed