Merge pull request #101 from netfoundry/v0.9.19-release-candidate

r-caamano · web-flow · commit 2039cb5ad606 · 2025-06-02T19:22:35.000-04:00
Fixed masqerade GC issue with long lived high bw sessions, tcp sessio…
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format
 ---
 ###
 
+# [0.9.19] - 2025-6-1
+###
+
+- Fixed issue where in masquerade mode if sending at a high rate user space could not keep up with timestamps.
+- Additions to tcp tracking to work with varying tcp stack FIN acknowledgement handling.
+
+###
+
 # [0.9.18] - 2025-5-28
 ###
 
diff --git a/src/zfw.c b/src/zfw.c
@@ -278,7 +278,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.9.18";
+const char *argp_program_version = "0.9.19";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];
diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -93,7 +93,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.9.18";
+const char *argp_program_version = "0.9.19";
 union bpf_attr rb_map;
 int rb_fd = -1;
 
diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
@@ -2415,7 +2415,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         return TC_ACT_OK;
                     }
                     else if(tcph->ack){
-                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->cfack) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             if(local_diag->masquerade){
                                 struct masq_reverse_key rk = {0};
                                 rk.dport = tcp_state_key.dport;
@@ -2459,13 +2460,18 @@ int bpf_sk_splice(struct __sk_buff *skb){
                             }
                             return TC_ACT_OK;
                         }
-                        else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        else if((tstate->est) && (tstate->cfin == 1) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             tstate->sfack = 1;
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                         else if(tstate->est){
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                     }
@@ -2672,7 +2678,9 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         }
                     }
                     else{
-                        ustate->tstamp = tstamp;
+                        if(tstamp >= ustate->tstamp + 250000000){
+                            ustate->tstamp = tstamp;
+                        }
                         if(local_diag->verbose){
                             event.tracking_code = UDP_MATCHED_ACTIVE_STATE;
                             send_event(&event);
@@ -2903,7 +2911,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         return TC_ACT_OK;
                     }
                     else if(tcph->ack){
-                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->cfack) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             del_tcp(tcp_state_key);
                             tstate = get_tcp(tcp_state_key);
                             if(!tstate){
@@ -2914,13 +2923,18 @@ int bpf_sk_splice(struct __sk_buff *skb){
                             }
 
                         }
-                        else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        else if((tstate->est) && (tstate->cfin == 1) && 
+                          ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             tstate->sfack = 1;
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                         else if(tstate->est){
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                     }
@@ -3037,7 +3051,9 @@ int bpf_sk_splice(struct __sk_buff *skb){
                             event.tracking_code = UDP_MATCHED_ACTIVE_STATE;
                             send_event(&event);
                         }
-                        ustate->tstamp = tstamp;
+                        if(tstamp >= ustate->tstamp + 250000000){
+                            ustate->tstamp = tstamp;
+                        }
                         return TC_ACT_OK;
                     }
                 }
@@ -4052,7 +4068,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                 }
             }
             else if(ustate){
-                ustate->tstamp = tstamp;
+                if(tstamp >= ustate->tstamp + 250000000){
+                    ustate->tstamp = tstamp;
+                }
             }
             return TC_ACT_OK;
         }
@@ -4127,7 +4145,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                         tstate->syn = 0;
                         tstate->est = 1;
                     }
-                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&
+                    ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         del_ingress_tcp(tcp_state_key);
                         tstate = get_ingress_tcp(tcp_state_key);
                         if(!tstate){
@@ -4137,12 +4156,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                             }
                         }
                     }
-                    else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    else if((tstate->est) && (tstate->sfin == 1) &&
+                     ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         tstate->cfack = 1;
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                     else{
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                 }
             }
@@ -4194,7 +4218,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                 }
             }
             else if(ustate){
-                ustate->tstamp = tstamp;
+                if(tstamp >= ustate->tstamp + 250000000){
+                    ustate->tstamp = tstamp;
+                }
             }
             return TC_ACT_OK;
         }
@@ -4268,7 +4294,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                         tstate->syn = 0;
                         tstate->est = 1;
                     }
-                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&
+                    ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         del_ingress_tcp(tcp_state_key);
                         tstate = get_ingress_tcp(tcp_state_key);
                         if(!tstate){
@@ -4278,12 +4305,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                             }
                         }
                     }
-                    else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    else if((tstate->est) && (tstate->sfin == 1) && 
+                    ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         tstate->cfack = 1;
-                        tstate->tstamp = tstamp;
+                       if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                     else{
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                 }
             }
diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c
@@ -1297,7 +1297,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         return TC_ACT_OK;
                     }
                     else if(tcph->ack){
-                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && tstate->cfack &&
+                         ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             del_ingress_tcp(tcp_state_key);
                             tstate = get_ingress_tcp(tcp_state_key);
                             if(!tstate){
@@ -1308,13 +1309,18 @@ int bpf_sk_splice(struct __sk_buff *skb){
                             }
 
                         }
-                        else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        else if((tstate->est) && (tstate->cfin == 1) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             tstate->sfack = 1;
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                         else if(tstate->est){
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                     }
@@ -1466,7 +1472,9 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         event.tracking_code = INGRESS_UDP_MATCHED_ACTIVE_STATE;
                         send_event(&event);
                     }
-                    ustate->tstamp = tstamp;
+                    if(tstamp >= ustate->tstamp + 250000000){
+                        ustate->tstamp = tstamp;
+                    }
                     return TC_ACT_OK;
                 }
             }
@@ -1601,7 +1609,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         return TC_ACT_OK;
                     }
                     else if(tcph->ack){
-                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && tstate->cfack &&
+                         ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             del_ingress_tcp(tcp_state_key);
                             tstate = get_ingress_tcp(tcp_state_key);
                             if(!tstate){
@@ -1612,13 +1621,18 @@ int bpf_sk_splice(struct __sk_buff *skb){
                             }
 
                         }
-                        else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
+                        else if((tstate->est) && (tstate->cfin == 1) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){
                             tstate->sfack = 1;
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                         else if(tstate->est){
-                            tstate->tstamp = tstamp;
+                            if(tstamp >= tstate->tstamp + 250000000){
+                                tstate->tstamp = tstamp;
+                            }
                             return TC_ACT_OK;
                         }
                     }
@@ -1656,7 +1670,9 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         event.tracking_code = INGRESS_UDP_MATCHED_ACTIVE_STATE;
                         send_event(&event);
                     }
-                    ustate->tstamp = tstamp;
+                   if(tstamp >= ustate->tstamp + 250000000){
+                        ustate->tstamp = tstamp;
+                    }
                     return TC_ACT_OK;
                 }
             }
@@ -2887,7 +2903,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                         tstate->syn = 0;
                         tstate->est = 1;
                     }
-                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         if(local_diag->masquerade){
                             struct masq_reverse_key rk = {0};
                             rk.dport = tcp_state_key.dport;
@@ -2928,12 +2945,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                         }
 
                     }
-                    else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    else if((tstate->est) && (tstate->sfin == 1) &&
+                     ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         tstate->cfack = 1;
-                        tstate->tstamp = tstamp;
+                       if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                     else{
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                 }
             }
@@ -3114,7 +3136,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                     }
                 }
                 else if(ustate){
-                    ustate->tstamp = tstamp;
+                    if(tstamp >= ustate->tstamp + 250000000){
+                        ustate->tstamp = tstamp;
+                    }
                 }
             }
         }
@@ -3263,7 +3287,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                         tstate->syn = 0;
                         tstate->est = 1;
                     }
-                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && 
+                        ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         del_tcp(tcp_state_key);
                         tstate = get_tcp(tcp_state_key);
                         if(!tstate){
@@ -3273,12 +3298,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                             }
                         }
                     }
-                    else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){
+                    else if((tstate->est) && (tstate->sfin == 1) &&
+                     ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) || (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){
                         tstate->cfack = 1;
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                     else{
-                        tstate->tstamp = tstamp;
+                        if(tstamp >= tstate->tstamp + 250000000){
+                            tstate->tstamp = tstamp;
+                        }
                     }
                 }
             }
@@ -3351,7 +3381,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                     }
                 }
                 else if(ustate){
-                    ustate->tstamp = tstamp;
+                    if(tstamp >= ustate->tstamp + 250000000){
+                        ustate->tstamp = tstamp;
+                    }
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -2415,7 +2415,8 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2415`	`2415`	`return TC_ACT_OK;`
`2416`	`2416`	`}`
`2417`	`2417`	`else if(tcph->ack){`
`2418`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`2418`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->cfack) &&`
	`2419`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`2419`	`2420`	`if(local_diag->masquerade){`
`2420`	`2421`	`struct masq_reverse_key rk = {0};`
`2421`	`2422`	`rk.dport = tcp_state_key.dport;`
`@@ -2459,13 +2460,18 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2459`	`2460`	`}`
`2460`	`2461`	`return TC_ACT_OK;`
`2461`	`2462`	`}`
`2462`		`- else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`2463`	`+ else if((tstate->est) && (tstate->cfin == 1) &&`
	`2464`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`2463`	`2465`	`tstate->sfack = 1;`
`2464`		`- tstate->tstamp = tstamp;`
	`2466`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2467`	`+ tstate->tstamp = tstamp;`
	`2468`	`+ }`
`2465`	`2469`	`return TC_ACT_OK;`
`2466`	`2470`	`}`
`2467`	`2471`	`else if(tstate->est){`
`2468`		`- tstate->tstamp = tstamp;`
	`2472`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2473`	`+ tstate->tstamp = tstamp;`
	`2474`	`+ }`
`2469`	`2475`	`return TC_ACT_OK;`
`2470`	`2476`	`}`
`2471`	`2477`	`}`
`@@ -2672,7 +2678,9 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2672`	`2678`	`}`
`2673`	`2679`	`}`
`2674`	`2680`	`else{`
`2675`		`- ustate->tstamp = tstamp;`
	`2681`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`2682`	`+ ustate->tstamp = tstamp;`
	`2683`	`+ }`
`2676`	`2684`	`if(local_diag->verbose){`
`2677`	`2685`	`event.tracking_code = UDP_MATCHED_ACTIVE_STATE;`
`2678`	`2686`	`send_event(&event);`
`@@ -2903,7 +2911,8 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2903`	`2911`	`return TC_ACT_OK;`
`2904`	`2912`	`}`
`2905`	`2913`	`else if(tcph->ack){`
`2906`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`2914`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->cfack) &&`
	`2915`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`2907`	`2916`	`del_tcp(tcp_state_key);`
`2908`	`2917`	`tstate = get_tcp(tcp_state_key);`
`2909`	`2918`	`if(!tstate){`
`@@ -2914,13 +2923,18 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2914`	`2923`	`}`
`2915`	`2924`
`2916`	`2925`	`}`
`2917`		`- else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`2926`	`+ else if((tstate->est) && (tstate->cfin == 1) &&`
	`2927`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`2918`	`2928`	`tstate->sfack = 1;`
`2919`		`- tstate->tstamp = tstamp;`
	`2929`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2930`	`+ tstate->tstamp = tstamp;`
	`2931`	`+ }`
`2920`	`2932`	`return TC_ACT_OK;`
`2921`	`2933`	`}`
`2922`	`2934`	`else if(tstate->est){`
`2923`		`- tstate->tstamp = tstamp;`
	`2935`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2936`	`+ tstate->tstamp = tstamp;`
	`2937`	`+ }`
`2924`	`2938`	`return TC_ACT_OK;`
`2925`	`2939`	`}`
`2926`	`2940`	`}`
`@@ -3037,7 +3051,9 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`3037`	`3051`	`event.tracking_code = UDP_MATCHED_ACTIVE_STATE;`
`3038`	`3052`	`send_event(&event);`
`3039`	`3053`	`}`
`3040`		`- ustate->tstamp = tstamp;`
	`3054`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`3055`	`+ ustate->tstamp = tstamp;`
	`3056`	`+ }`
`3041`	`3057`	`return TC_ACT_OK;`
`3042`	`3058`	`}`
`3043`	`3059`	`}`
`@@ -4052,7 +4068,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4052`	`4068`	`}`
`4053`	`4069`	`}`
`4054`	`4070`	`else if(ustate){`
`4055`		`- ustate->tstamp = tstamp;`
	`4071`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`4072`	`+ ustate->tstamp = tstamp;`
	`4073`	`+ }`
`4056`	`4074`	`}`
`4057`	`4075`	`return TC_ACT_OK;`
`4058`	`4076`	`}`
`@@ -4127,7 +4145,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4127`	`4145`	`tstate->syn = 0;`
`4128`	`4146`	`tstate->est = 1;`
`4129`	`4147`	`}`
`4130`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`4148`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&`
	`4149`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`4131`	`4150`	`del_ingress_tcp(tcp_state_key);`
`4132`	`4151`	`tstate = get_ingress_tcp(tcp_state_key);`
`4133`	`4152`	`if(!tstate){`
`@@ -4137,12 +4156,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4137`	`4156`	`}`
`4138`	`4157`	`}`
`4139`	`4158`	`}`
`4140`		`- else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`4159`	`+ else if((tstate->est) && (tstate->sfin == 1) &&`
	`4160`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`4141`	`4161`	`tstate->cfack = 1;`
`4142`		`- tstate->tstamp = tstamp;`
	`4162`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`4163`	`+ tstate->tstamp = tstamp;`
	`4164`	`+ }`
`4143`	`4165`	`}`
`4144`	`4166`	`else{`
`4145`		`- tstate->tstamp = tstamp;`
	`4167`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`4168`	`+ tstate->tstamp = tstamp;`
	`4169`	`+ }`
`4146`	`4170`	`}`
`4147`	`4171`	`}`
`4148`	`4172`	`}`
`@@ -4194,7 +4218,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4194`	`4218`	`}`
`4195`	`4219`	`}`
`4196`	`4220`	`else if(ustate){`
`4197`		`- ustate->tstamp = tstamp;`
	`4221`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`4222`	`+ ustate->tstamp = tstamp;`
	`4223`	`+ }`
`4198`	`4224`	`}`
`4199`	`4225`	`return TC_ACT_OK;`
`4200`	`4226`	`}`
`@@ -4268,7 +4294,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4268`	`4294`	`tstate->syn = 0;`
`4269`	`4295`	`tstate->est = 1;`
`4270`	`4296`	`}`
`4271`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`4297`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&`
	`4298`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`4272`	`4299`	`del_ingress_tcp(tcp_state_key);`
`4273`	`4300`	`tstate = get_ingress_tcp(tcp_state_key);`
`4274`	`4301`	`if(!tstate){`
`@@ -4278,12 +4305,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`4278`	`4305`	`}`
`4279`	`4306`	`}`
`4280`	`4307`	`}`
`4281`		`- else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`4308`	`+ else if((tstate->est) && (tstate->sfin == 1) &&`
	`4309`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`4282`	`4310`	`tstate->cfack = 1;`
`4283`		`- tstate->tstamp = tstamp;`
	`4311`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`4312`	`+ tstate->tstamp = tstamp;`
	`4313`	`+ }`
`4284`	`4314`	`}`
`4285`	`4315`	`else{`
`4286`		`- tstate->tstamp = tstamp;`
	`4316`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`4317`	`+ tstate->tstamp = tstamp;`
	`4318`	`+ }`
`4287`	`4319`	`}`
`4288`	`4320`	`}`
`4289`	`4321`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1297,7 +1297,8 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1297`	`1297`	`return TC_ACT_OK;`
`1298`	`1298`	`}`
`1299`	`1299`	`else if(tcph->ack){`
`1300`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`1300`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && tstate->cfack &&`
	`1301`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`1301`	`1302`	`del_ingress_tcp(tcp_state_key);`
`1302`	`1303`	`tstate = get_ingress_tcp(tcp_state_key);`
`1303`	`1304`	`if(!tstate){`
`@@ -1308,13 +1309,18 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1308`	`1309`	`}`
`1309`	`1310`
`1310`	`1311`	`}`
`1311`		`- else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`1312`	`+ else if((tstate->est) && (tstate->cfin == 1) &&`
	`1313`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`1312`	`1314`	`tstate->sfack = 1;`
`1313`		`- tstate->tstamp = tstamp;`
	`1315`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`1316`	`+ tstate->tstamp = tstamp;`
	`1317`	`+ }`
`1314`	`1318`	`return TC_ACT_OK;`
`1315`	`1319`	`}`
`1316`	`1320`	`else if(tstate->est){`
`1317`		`- tstate->tstamp = tstamp;`
	`1321`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`1322`	`+ tstate->tstamp = tstamp;`
	`1323`	`+ }`
`1318`	`1324`	`return TC_ACT_OK;`
`1319`	`1325`	`}`
`1320`	`1326`	`}`
`@@ -1466,7 +1472,9 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1466`	`1472`	`event.tracking_code = INGRESS_UDP_MATCHED_ACTIVE_STATE;`
`1467`	`1473`	`send_event(&event);`
`1468`	`1474`	`}`
`1469`		`- ustate->tstamp = tstamp;`
	`1475`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`1476`	`+ ustate->tstamp = tstamp;`
	`1477`	`+ }`
`1470`	`1478`	`return TC_ACT_OK;`
`1471`	`1479`	`}`
`1472`	`1480`	`}`
`@@ -1601,7 +1609,8 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1601`	`1609`	`return TC_ACT_OK;`
`1602`	`1610`	`}`
`1603`	`1611`	`else if(tcph->ack){`
`1604`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`1612`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && tstate->cfack &&`
	`1613`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`1605`	`1614`	`del_ingress_tcp(tcp_state_key);`
`1606`	`1615`	`tstate = get_ingress_tcp(tcp_state_key);`
`1607`	`1616`	`if(!tstate){`
`@@ -1612,13 +1621,18 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1612`	`1621`	`}`
`1613`	`1622`
`1614`	`1623`	`}`
`1615`		`- else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
	`1624`	`+ else if((tstate->est) && (tstate->cfin == 1) &&`
	`1625`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->cfseq)))){`
`1616`	`1626`	`tstate->sfack = 1;`
`1617`		`- tstate->tstamp = tstamp;`
	`1627`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`1628`	`+ tstate->tstamp = tstamp;`
	`1629`	`+ }`
`1618`	`1630`	`return TC_ACT_OK;`
`1619`	`1631`	`}`
`1620`	`1632`	`else if(tstate->est){`
`1621`		`- tstate->tstamp = tstamp;`
	`1633`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`1634`	`+ tstate->tstamp = tstamp;`
	`1635`	`+ }`
`1622`	`1636`	`return TC_ACT_OK;`
`1623`	`1637`	`}`
`1624`	`1638`	`}`
`@@ -1656,7 +1670,9 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`1656`	`1670`	`event.tracking_code = INGRESS_UDP_MATCHED_ACTIVE_STATE;`
`1657`	`1671`	`send_event(&event);`
`1658`	`1672`	`}`
`1659`		`- ustate->tstamp = tstamp;`
	`1673`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`1674`	`+ ustate->tstamp = tstamp;`
	`1675`	`+ }`
`1660`	`1676`	`return TC_ACT_OK;`
`1661`	`1677`	`}`
`1662`	`1678`	`}`
`@@ -2887,7 +2903,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`2887`	`2903`	`tstate->syn = 0;`
`2888`	`2904`	`tstate->est = 1;`
`2889`	`2905`	`}`
`2890`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`2906`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&`
	`2907`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`2891`	`2908`	`if(local_diag->masquerade){`
`2892`	`2909`	`struct masq_reverse_key rk = {0};`
`2893`	`2910`	`rk.dport = tcp_state_key.dport;`
`@@ -2928,12 +2945,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`2928`	`2945`	`}`
`2929`	`2946`
`2930`	`2947`	`}`
`2931`		`- else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`2948`	`+ else if((tstate->est) && (tstate->sfin == 1) &&`
	`2949`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`2932`	`2950`	`tstate->cfack = 1;`
`2933`		`- tstate->tstamp = tstamp;`
	`2951`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2952`	`+ tstate->tstamp = tstamp;`
	`2953`	`+ }`
`2934`	`2954`	`}`
`2935`	`2955`	`else{`
`2936`		`- tstate->tstamp = tstamp;`
	`2956`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`2957`	`+ tstate->tstamp = tstamp;`
	`2958`	`+ }`
`2937`	`2959`	`}`
`2938`	`2960`	`}`
`2939`	`2961`	`}`
`@@ -3114,7 +3136,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`3114`	`3136`	`}`
`3115`	`3137`	`}`
`3116`	`3138`	`else if(ustate){`
`3117`		`- ustate->tstamp = tstamp;`
	`3139`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`3140`	`+ ustate->tstamp = tstamp;`
	`3141`	`+ }`
`3118`	`3142`	`}`
`3119`	`3143`	`}`
`3120`	`3144`	`}`
`@@ -3263,7 +3287,8 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`3263`	`3287`	`tstate->syn = 0;`
`3264`	`3288`	`tstate->est = 1;`
`3265`	`3289`	`}`
`3266`		`- if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`3290`	`+ if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (tstate->sfack) &&`
	`3291`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`3267`	`3292`	`del_tcp(tcp_state_key);`
`3268`	`3293`	`tstate = get_tcp(tcp_state_key);`
`3269`	`3294`	`if(!tstate){`
`@@ -3273,12 +3298,17 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`3273`	`3298`	`}`
`3274`	`3299`	`}`
`3275`	`3300`	`}`
`3276`		`- else if((tstate->est) && (tstate->sfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1))){`
	`3301`	`+ else if((tstate->est) && (tstate->sfin == 1) &&`
	`3302`	`+ ((bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->sfseq) + 1)) \|\| (bpf_htonl(tcph->ack_seq) == bpf_htonl(tstate->sfseq)))){`
`3277`	`3303`	`tstate->cfack = 1;`
`3278`		`- tstate->tstamp = tstamp;`
	`3304`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`3305`	`+ tstate->tstamp = tstamp;`
	`3306`	`+ }`
`3279`	`3307`	`}`
`3280`	`3308`	`else{`
`3281`		`- tstate->tstamp = tstamp;`
	`3309`	`+ if(tstamp >= tstate->tstamp + 250000000){`
	`3310`	`+ tstate->tstamp = tstamp;`
	`3311`	`+ }`
`3282`	`3312`	`}`
`3283`	`3313`	`}`
`3284`	`3314`	`}`
`@@ -3351,7 +3381,9 @@ int bpf_sk_splice6(struct __sk_buff *skb){`
`3351`	`3381`	`}`
`3352`	`3382`	`}`
`3353`	`3383`	`else if(ustate){`
`3354`		`- ustate->tstamp = tstamp;`
	`3384`	`+ if(tstamp >= ustate->tstamp + 250000000){`
	`3385`	`+ ustate->tstamp = tstamp;`
	`3386`	`+ }`
`3355`	`3387`	`}`
`3356`	`3388`	`}`
`3357`	`3389`	`}`