Changes

906 bytes added ,  07:04, 5 December 2016
no edit summary
Line 68: Line 68:  
per-connection iptables rules the "network-lock"/"network-unlock" [[action scripts]] are called so that the user
 
per-connection iptables rules the "network-lock"/"network-unlock" [[action scripts]] are called so that the user
 
could isolate the whole netns from network. Typically this is done by downing the respective veth pair end.
 
could isolate the whole netns from network. Typically this is done by downing the respective veth pair end.
 +
 +
== States ==
 +
=== TCP_SYN_SENT ===
 +
There is only one difference with TCP_ESTABLISHED, we have to restore a socket and disable the repair mode before calling <code>conenct()</code>. The kernel will send a one syn-sent packet with the same initial sequence number and sets the TCP_SYN_SENT state for the socket.
 +
 +
=== Half-closed sockets ===
 +
A socket is half-closed when it sent or received a fin packet. These sockets are in one for these states: TCP_FIN_WAIT1, TCP_FIN_WAIT2, TCP_CLOSING, TCP_LAST_ACL, TCP_CLOSE_WAIT. To restore these states, we restore a socket into the TCP_ESTABLISHED state and then we call shutfown(SHUT_WR), if a socket has sent a fin packet and we send a fake fin packet, if a socket has received it before. For example, if we want to restore the TCP_FIN_WAIT1 state, we have to call shutfown(SHUT_WR) and we can send a fake ack to the fin packet to restore the TCP_FIN_WAIT2 state.
    
== See also ==
 
== See also ==