1// check that out of window resets are marked as INVALID and conntrack remains 2// in ESTABLISHED state. 3 4`packetdrill/common.sh` 5 6+0 `$xtables -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP` 7+0 `$xtables -A OUTPUT -p tcp -m conntrack --ctstate INVALID -j DROP` 8 9+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 10+0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 11 120.1 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) 13 140.1 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8> 15 16+0.1 < S. 1:1(0) ack 1 win 65535 <mss 1460> 17 18+0 > . 1:1(0) ack 1 win 65535 19+0 < . 1:1001(1000) ack 1 win 65535 20+0 < . 1001:2001(1000) ack 1 win 65535 21+0 < . 2001:3001(1000) ack 1 win 65535 22 23+0 > . 1:1(0) ack 1001 win 65535 24+0 > . 1:1(0) ack 2001 win 65535 25+0 > . 1:1(0) ack 3001 win 65535 26 27+0 write(3, ..., 1000) = 1000 28 29// out of window 30+0.0 < R 0:0(0) win 0 31+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q ESTABLISHED` 32 33// out of window 34+0.0 < R 1000000:1000000(0) win 0 35+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q ESTABLISHED` 36 37// in-window but not exact match 38+0.0 < R 42:42(0) win 0 39+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q ESTABLISHED` 40 41+0.0 > P. 1:1001(1000) ack 3001 win 65535 42 43+0.1 read(3, ..., 1000) = 1000 44+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q ESTABLISHED` 45 46+0 < . 3001:3001(0) ack 1001 win 65535 47 48+0.0 < R. 3000:3000(0) ack 1001 win 0 49+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q ESTABLISHED` 50 51// exact next sequence 52+0.0 < R. 3001:3001(0) ack 1001 win 0 53// Conntrack should move to CLOSE 54 55// Expect four invalid RSTs 56+0 `$xtables -v -S INPUT | grep INVALID | grep -q -- "-c 4 "` 57+0 `$xtables -v -S OUTPUT | grep INVALID | grep -q -- "-c 0 0"` 58 59+0 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null |grep -q CLOSE\ ` 60