1// Check connection re-use, i.e. peer that receives the SYN answers with 2// a challenge-ACK. 3// Check that conntrack lets all packets pass, including the challenge ack, 4// and that a new connection is established. 5 6`packetdrill/common.sh` 7 8// S > 9// . < (challnge-ack) 10// R. > 11// S > 12// S. < 13// Expected outcome: established connection. 14 15+0 `$xtables -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP` 16+0 `$xtables -A OUTPUT -p tcp -m conntrack --ctstate INVALID -j DROP` 17 18+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 19+0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 20 210.1 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) 220.1 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8> 23 24// Challenge ACK, old incarnation. 250.1 < . 145824453:145824453(0) ack 643160523 win 240 <mss 1460,nop,nop,TS val 1 ecr 1,nop,wscale 0> 26 27+0.01 > R 643160523:643160523(0) win 0 28 29+0.01 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT` 30 31// Must go through. 32+0.01 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8> 33 34// correct synack 35+0.1 < S. 0:0(0) ack 1 win 250 <mss 1460,nop,nop,TS val 1 ecr 1,nop,wscale 0> 36 37// 3whs completes. 38+0.01 > . 1:1(0) ack 1 win 256 <nop,nop,TS val 1 ecr 1> 39 40+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep ESTABLISHED | grep -q ASSURED` 41 42// No packets should have been marked INVALID 43+0 `$xtables -v -S INPUT | grep INVALID | grep -q -- "-c 0 0"` 44+0 `$xtables -v -S OUTPUT | grep INVALID | grep -q -- "-c 0 0"` 45