summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44-ed/nat44_ed.h
diff options
context:
space:
mode:
authorOle Troan <ot@cisco.com>2022-03-17 11:58:38 +0100
committerOle Tr�an <otroan@employees.org>2022-04-21 10:35:58 +0000
commit5297447bd64ab253ab3ab3e144605dd39f995f12 (patch)
treed351435893287349ebb9ca5736a627ff53cc28f9 /src/plugins/nat/nat44-ed/nat44_ed.h
parente0c875551fa0cd49131671be0f521801e06764f8 (diff)
nat: tweak rfc7857 tcp connection tracking
The RFC7857 state machine introduced in 56c492a is a trade-off. It tries to retain sessions as much as possible and also offers some protection against spurious RST by re-establishing sessions if data is received after the RST. From experience in the wild, this algorithm is a little too liberal, as it leaves too many spurious established sessions in the session table. E.g. a oberserved pattern is: client server <- FIN, ACK ACK -> ACK -> RST, ACK -> With the current state machine this would leave the session in established state. These proposed changes do: - require 3-way handshake to establish session. (current requires only to see SYNs from both sides) - RST will move session to transitory without recovery if data is sent after - Only a single FIN is needed to move to transitory Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'src/plugins/nat/nat44-ed/nat44_ed.h')
-rw-r--r--src/plugins/nat/nat44-ed/nat44_ed.h18
1 files changed, 4 insertions, 14 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed.h b/src/plugins/nat/nat44-ed/nat44_ed.h
index 05503a475c2..5b5b2ec8cfd 100644
--- a/src/plugins/nat/nat44-ed/nat44_ed.h
+++ b/src/plugins/nat/nat44-ed/nat44_ed.h
@@ -123,14 +123,10 @@ typedef enum
typedef enum
{
- NAT44_ED_TCP_FLAG_NONE = 0,
- NAT44_ED_TCP_FLAG_FIN,
+ NAT44_ED_TCP_FLAG_FIN = 0,
NAT44_ED_TCP_FLAG_SYN,
- NAT44_ED_TCP_FLAG_SYNFIN,
NAT44_ED_TCP_FLAG_RST,
- NAT44_ED_TCP_FLAG_FINRST,
- NAT44_ED_TCP_FLAG_SYNRST,
- NAT44_ED_TCP_FLAG_SYNFINRST,
+ NAT44_ED_TCP_FLAG_ACK,
NAT44_ED_TCP_N_FLAG,
} nat44_ed_tcp_flag_e;
@@ -145,15 +141,8 @@ typedef enum
typedef enum
{
NAT44_ED_TCP_STATE_CLOSED = 0,
- NAT44_ED_TCP_STATE_SYN_I2O,
- NAT44_ED_TCP_STATE_SYN_O2I,
NAT44_ED_TCP_STATE_ESTABLISHED,
- NAT44_ED_TCP_STATE_FIN_I2O,
- NAT44_ED_TCP_STATE_FIN_O2I,
- NAT44_ED_TCP_STATE_RST_TRANS,
- NAT44_ED_TCP_STATE_FIN_TRANS,
- NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_I2O,
- NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_O2I,
+ NAT44_ED_TCP_STATE_CLOSING,
NAT44_ED_TCP_N_STATE,
} nat44_ed_tcp_state_e;
@@ -336,6 +325,7 @@ typedef CLIB_PACKED(struct
u16 ext_host_nat_port;
/* TCP session state */
+ u8 tcp_flags[NAT44_ED_N_DIR];
nat44_ed_tcp_state_e tcp_state;
/* per vrf sessions index */