diff options
| author |   Ole Troan <ot@cisco.com> | 2022-03-17 11:58:38 +0100 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2022-04-21 10:35:58 +0000 |
| commit | 5297447bd64ab253ab3ab3e144605dd39f995f12 (patch) | |
| tree | d351435893287349ebb9ca5736a627ff53cc28f9 /src/plugins/nat/nat44-ed/nat44_ed.h | |
| parent | e0c875551fa0cd49131671be0f521801e06764f8 (diff) | |
nat: tweak rfc7857 tcp connection tracking
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'src/plugins/nat/nat44-ed/nat44_ed.h')
| -rw-r--r-- | src/plugins/nat/nat44-ed/nat44_ed.h | 18 |
1 files changed, 4 insertions, 14 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed.h b/src/plugins/nat/nat44-ed/nat44_ed.h index 05503a475c2..5b5b2ec8cfd 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed.h +++ b/src/plugins/nat/nat44-ed/nat44_ed.h @@ -123,14 +123,10 @@ typedef enum typedef enum { - NAT44_ED_TCP_FLAG_NONE = 0, - NAT44_ED_TCP_FLAG_FIN, + NAT44_ED_TCP_FLAG_FIN = 0, NAT44_ED_TCP_FLAG_SYN, - NAT44_ED_TCP_FLAG_SYNFIN, NAT44_ED_TCP_FLAG_RST, - NAT44_ED_TCP_FLAG_FINRST, - NAT44_ED_TCP_FLAG_SYNRST, - NAT44_ED_TCP_FLAG_SYNFINRST, + NAT44_ED_TCP_FLAG_ACK, NAT44_ED_TCP_N_FLAG, } nat44_ed_tcp_flag_e; @@ -145,15 +141,8 @@ typedef enum typedef enum { NAT44_ED_TCP_STATE_CLOSED = 0, - NAT44_ED_TCP_STATE_SYN_I2O, - NAT44_ED_TCP_STATE_SYN_O2I, NAT44_ED_TCP_STATE_ESTABLISHED, - NAT44_ED_TCP_STATE_FIN_I2O, - NAT44_ED_TCP_STATE_FIN_O2I, - NAT44_ED_TCP_STATE_RST_TRANS, - NAT44_ED_TCP_STATE_FIN_TRANS, - NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_I2O, - NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_O2I, + NAT44_ED_TCP_STATE_CLOSING, NAT44_ED_TCP_N_STATE, } nat44_ed_tcp_state_e; @@ -336,6 +325,7 @@ typedef CLIB_PACKED(struct u16 ext_host_nat_port; /* TCP session state */ + u8 tcp_flags[NAT44_ED_N_DIR]; nat44_ed_tcp_state_e tcp_state; /* per vrf sessions index */ |