Commit 5c8ce7c9 authored by Willy Tarreau's avatar Willy Tarreau Committed by David S. Miller

[NETFILTER]: TCP conntrack: factorize out the PUSH flag

The PUSH flag is accepted with every other valid combination.
Let's get it out of the tcp_valid_flags table and reduce the
number of combinations we have to handle. This does not
significantly reduce the table size however (8 bytes).
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8f5bd990
...@@ -764,27 +764,18 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update); ...@@ -764,27 +764,18 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
#define TH_ECE 0x40 #define TH_ECE 0x40
#define TH_CWR 0x80 #define TH_CWR 0x80
/* table of valid flag combinations - ECE and CWR are always valid */ /* table of valid flag combinations - PUSH, ECE and CWR are always valid */
static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
{ {
[TH_SYN] = 1, [TH_SYN] = 1,
[TH_SYN|TH_PUSH] = 1,
[TH_SYN|TH_URG] = 1, [TH_SYN|TH_URG] = 1,
[TH_SYN|TH_PUSH|TH_URG] = 1,
[TH_SYN|TH_ACK] = 1, [TH_SYN|TH_ACK] = 1,
[TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1, [TH_RST] = 1,
[TH_RST|TH_PUSH] = 1,
[TH_RST|TH_ACK] = 1, [TH_RST|TH_ACK] = 1,
[TH_RST|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK] = 1, [TH_FIN|TH_ACK] = 1,
[TH_FIN|TH_ACK|TH_URG] = 1,
[TH_ACK] = 1, [TH_ACK] = 1,
[TH_ACK|TH_PUSH] = 1,
[TH_ACK|TH_URG] = 1, [TH_ACK|TH_URG] = 1,
[TH_ACK|TH_URG|TH_PUSH] = 1,
[TH_FIN|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK|TH_URG] = 1,
[TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
}; };
/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
...@@ -831,7 +822,7 @@ static int tcp_error(struct sk_buff *skb, ...@@ -831,7 +822,7 @@ static int tcp_error(struct sk_buff *skb,
} }
/* Check TCP flags. */ /* Check TCP flags. */
tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
if (!tcp_valid_flags[tcpflags]) { if (!tcp_valid_flags[tcpflags]) {
if (LOG_INVALID(IPPROTO_TCP)) if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment