tcp: block connections in both directions

The packet can be retransmited after dumping the tcp connect.  The first
one is that the connection is blocked for only one direction. The second
one is that TCP timers continue work during dumping and they can send
packets. tcp_timestamp is saved for each tcp connections and then it’s
restored. So if a packet is sent after dumping, its timestamps is
saved by another side and this timestamp is sent back in the next packet
as the tsecr parameter. If this packet is received after restoring, it
looks like a packets from the future.

https://bugzilla.openvz.org/show_bug.cgi?id=2676Signed-off-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

netfilter.c

@@ -67,9 +67,22 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 
 static int nf_connection_switch(struct inet_sk_desc *sk, int lock)
 {
-	return nf_connection_switch_raw(sk->sd.family,
+	int ret = 0;
+
+	ret = nf_connection_switch_raw(sk->sd.family,
 			sk->src_addr, sk->src_port,
 			sk->dst_addr, sk->dst_port, lock);
+	if (ret)
+		return -1;
+
+	ret = nf_connection_switch_raw(sk->sd.family,
+			sk->dst_addr, sk->dst_port,
+			sk->src_addr, sk->src_port, lock);
+	if (ret) /* rollback */
+		nf_connection_switch_raw(sk->sd.family,
+			sk->src_addr, sk->src_port,
+			sk->dst_addr, sk->dst_port, !lock);
+	return ret;
 }
 
 int nf_lock_connection(struct inet_sk_desc *sk)
@@ -84,7 +97,18 @@ int nf_unlock_connection(struct inet_sk_desc *sk)
 
 int nf_unlock_connection_info(struct inet_sk_info *si)
 {
-	return nf_connection_switch_raw(si->ie->family,
+	int ret = 0;
+
+	ret |= nf_connection_switch_raw(si->ie->family,
 			si->ie->src_addr, si->ie->src_port,
 			si->ie->dst_addr, si->ie->dst_port, 0);
+	ret |= nf_connection_switch_raw(si->ie->family,
+			si->ie->dst_addr, si->ie->dst_port,
+			si->ie->src_addr, si->ie->src_port, 0);
+	/*
+	 * rollback nothing in case of any error,
+	 * because nobody checks errors of this function
+	 */
+
+	return ret;
 }