|
carl.huang [üS½¨äh] wrote:
>
> Hi:
>
> I'm reading source code of ipvs0.2.5, and
> I'm puzzling about vs_tcp_states[ ] and vs_tcp_states_dos[ ] in ip_vs_conn.
> c,
> what does the element in these structures mean?
>
> Carl
Hi Carl,
The vs_tcp_states[] table is the modified state transition table for the
TCP state machine. The vs_tcp_states_dos[] is a yet again modified state
table in case we are under attack and secure_tcp is enabled. It is tigher
but not conforming to the RFC anymore. Let's take an example how you can
read it:
static struct vs_tcp_states_t vs_tcp_states [] = {
/* INPUT */
/* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI, sSA */
/*syn*/ {{sSR, sES, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR }},
/*fin*/ {{sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI, sTW }},
/*ack*/ {{sCL, sES, sSS, sES, sFW, sTW, sCL, sCW, sCL, sLI, sES }},
/*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sSR }},
The elements 'sXX' mean state XX, so for example, sFW means TCP state
FIN_WAIT, sSR means TCP state SYN_RECV and so on. Now the table describes
the state transition of the TCP state machine from one TCP state to
another one after a state event occured. For example: Take row 2 starting
with sES and ending with sCL. At the first, commentary row, you see the
incoming TCP flags (syn,fin,ack,rst) which are important for the state
transition. So the rest is easy. Let's say, you're in row 2 and get a fin
so you go from sES to sCW, which should by conforming to RFC and Stevens.
Short illustration:
/* , sES,
/*syn*/ {{ , ,
/*fin*/ {{ , sCW,
It was some months ago last year when Wensong, Julian and me discussed
about a security enhancement for the TCP state transition and after some
heavy discussion they implemented it. So the second table vs_tcp_states_dos[]
was born.
I hope this was explanation enough, read the mailinglist from somewhere in
the beginning of 2000 about this thread.
Best regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
