From c74864019a45f20f774db9b17062540db778af6f Mon Sep 17 00:00:00 2001
From: r-caamano <robert.caamano@netfoundry.io>
Date: Sat, 20 Jan 2024 20:51:50 +0000
Subject: [PATCH] Fixed issue in outbound tracking for passthrough tcp
 connections where packets with rst set from    server were only accepted if
 connection was already in established state

---
 CHANGELOG.md         |  8 ++++++++
 src/zfw.c            |  2 +-
 src/zfw_tc_ingress.c | 16 +++++++---------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e38fb60..0fad501 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.5.6] - 2024-01-19
+
+###
+
+-- Fixed issue in outbound tracking for passthrough tcp connections where packets with rst set from
+   server were only accepted if connection was already in established state.  Changed to allow rst during
+   tcp handshake which occurs when server refuses a connection.
+
 # [0.5.5] - 2024-01-05
 
 ###
diff --git a/src/zfw.c b/src/zfw.c
index 85a89f8..697dcd6 100644
--- a/src/zfw.c
+++ b/src/zfw.c
@@ -152,7 +152,7 @@ char *tc_interface;
 char *log_file_name;
 char *object_file;
 char *direction_string;
-const char *argp_program_version = "0.5.5";
+const char *argp_program_version = "0.5.6";
 struct ring_buffer *ring_buffer;
 
 __u8 if_list[MAX_IF_LIST_ENTRIES];
diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
index f39f7d5..45d5c3b 100644
--- a/src/zfw_tc_ingress.c
+++ b/src/zfw_tc_ingress.c
@@ -905,17 +905,15 @@ int bpf_sk_splice(struct __sk_buff *skb){
                     }
                 }
                 else if(tcph->rst){
-                    if(tstate->est){
-                        del_tcp(tcp_state_key);
-                        tstate = get_tcp(tcp_state_key);
-                        if(!tstate){
-                            if(local_diag->verbose){
-                                event.tracking_code = SERVER_RST_RCVD;
-                                send_event(&event);
-                            }
+                    del_tcp(tcp_state_key);
+                    tstate = get_tcp(tcp_state_key);
+                    if(!tstate){
+                        if(local_diag->verbose){
+                            event.tracking_code = SERVER_RST_RCVD;
+                            send_event(&event);
                         }
-                        return TC_ACT_OK;
                     }
+                    return TC_ACT_OK;
                 }
                 else if(tcph->ack){
                     if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){