1// Check connection re-use, i.e. peer that receives the SYN answers with
2// a challenge-ACK.
3// Check that conntrack lets all packets pass, including the challenge ack,
4// and that a new connection is established.
5
6`packetdrill/common.sh`
7
8// S  >
9//  . < (challnge-ack)
10// R. >
11// S  >
12// S. <
13// Expected outcome: established connection.
14
15+0 `$xtables -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP`
16+0 `$xtables -A OUTPUT -p tcp -m conntrack --ctstate INVALID -j DROP`
17
18+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
19+0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
20
210.1 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress)
220.1 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8>
23
24// Challenge ACK, old incarnation.
250.1 < . 145824453:145824453(0) ack 643160523 win 240 <mss 1460,nop,nop,TS val 1 ecr 1,nop,wscale 0>
26
27+0.01 > R 643160523:643160523(0) win 0
28
29+0.01 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT`
30
31// Must go through.
32+0.01 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8>
33
34// correct synack
35+0.1 < S. 0:0(0) ack 1 win 250 <mss 1460,nop,nop,TS val 1 ecr 1,nop,wscale 0>
36
37// 3whs completes.
38+0.01 > . 1:1(0) ack 1 win 256 <nop,nop,TS val 1 ecr 1>
39
40+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep ESTABLISHED | grep -q ASSURED`
41
42// No packets should have been marked INVALID
43+0 `$xtables -v -S INPUT  | grep INVALID | grep -q -- "-c 0 0"`
44+0 `$xtables -v -S OUTPUT | grep INVALID | grep -q -- "-c 0 0"`
45