[NETFILTER]: Fix multiple problems with TCP window tracking

The first attached patch addresses several problems in the current TCP
connection tracking in the 2.6 tree. Some of the problems was reported,
others was discovered by nfsim tests:

- tcp_sack function was not safe against nonlinear skbs
- practically arbitrary RST segments (addresses, ports assumed to be
  known) could cause connection teardown in conntrack (thanks to Tim
  Burress for the bugreport and patch)
- article on which the code was based falsely assumed that packets
  must fit completely into the window: packets must at least overlap
  (thanks to Phil Oester for the bugreport and patch)
- state table slightly changed to handle ACK packets sent by server to
  late resent SYNs
- tracking reopening connections reworked
- cosmetic change: when window tracking is ignored by setting
  ip_conntrack_tcp_be_liberal to nonzero, it's ignored completely from
  now on

Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 4 insertions, 1 deletions

diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
index 76c2a19700dc..16da044d97a7 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
@@ -23,13 +23,16 @@ enum tcp_conntrack {
 /* SACK is permitted by the sender */
 #define IP_CT_TCP_FLAG_SACK_PERM		0x02
 
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT		0x03
+
 struct ip_ct_tcp_state {
 	u_int32_t	td_end;		/* max of seq + len */
 	u_int32_t	td_maxend;	/* max of ack + max(win, 1) */
 	u_int32_t	td_maxwin;	/* max(win) */
 	u_int8_t	td_scale;	/* window scale factor */
 	u_int8_t	loose;		/* used when connection picked up from the middle */
-	u_int8_t	flags;		/* per direction state flags */
+	u_int8_t	flags;		/* per direction options */
 };
 
 struct ip_ct_tcp