diff options
| author |   Ole Troan <ot@cisco.com> | 2022-03-17 11:58:38 +0100 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2022-04-21 10:35:58 +0000 |
| commit | 5297447bd64ab253ab3ab3e144605dd39f995f12 (patch) | |
| tree | d351435893287349ebb9ca5736a627ff53cc28f9 /src/plugins/nat/nat44-ed/nat44_ed_format.c | |
| parent | e0c875551fa0cd49131671be0f521801e06764f8 (diff) | |
nat: tweak rfc7857 tcp connection tracking
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'src/plugins/nat/nat44-ed/nat44_ed_format.c')
| -rw-r--r-- | src/plugins/nat/nat44-ed/nat44_ed_format.c | 29 |
1 files changed, 3 insertions, 26 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_format.c b/src/plugins/nat/nat44-ed/nat44_ed_format.c index f643d1c6056..ee3e925e529 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed_format.c +++ b/src/plugins/nat/nat44-ed/nat44_ed_format.c @@ -303,34 +303,11 @@ format_nat44_ed_tcp_state (u8 *s, va_list *args) case NAT44_ED_TCP_STATE_CLOSED: s = format (s, "closed"); break; - case NAT44_ED_TCP_STATE_SYN_I2O: - s = format (s, "SYN seen in in2out direction"); - break; - case NAT44_ED_TCP_STATE_SYN_O2I: - s = format (s, "SYN seen in out2in direction"); - break; case NAT44_ED_TCP_STATE_ESTABLISHED: - s = format (s, "SYN seen in both directions/established"); - break; - case NAT44_ED_TCP_STATE_FIN_I2O: - s = format (s, "FIN seen in in2out direction"); - break; - case NAT44_ED_TCP_STATE_FIN_O2I: - s = format (s, "FIN seen in out2in direction"); - break; - case NAT44_ED_TCP_STATE_RST_TRANS: - s = format (s, "RST seen/transitory timeout"); - break; - case NAT44_ED_TCP_STATE_FIN_TRANS: - s = format (s, "FIN seen in both directions/transitory timeout"); - break; - case NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_O2I: - s = format (s, "FIN seen in both directions/transitory timeout/session " - "reopening in out2in direction"); + s = format (s, "established"); break; - case NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_I2O: - s = format (s, "FIN seen in both directions/transitory timeout/session " - "reopening in in2out direction"); + case NAT44_ED_TCP_STATE_CLOSING: + s = format (s, "closing"); break; case NAT44_ED_TCP_N_STATE: s = format (s, "BUG! unexpected N_STATE! BUG!"); |