From af5e660d8e19fc2a1f3da12381c6757b87c1e0a1 Mon Sep 17 00:00:00 2001
From: Simon Sundberg <simon.sundberg@kau.se>
Date: Mon, 21 Jun 2021 10:51:20 +0200
Subject: [PATCH] pping: Only match TSecr in ACKs

The echoed TCP timestamp (TSecr) is only valid if the ACK flag is
set. So make sure to only attempt to match on ACK packets.

Signed-off-by: Simon Sundberg <simon.sundberg@kau.se>
---
 pping/TODO.md      | 2 ++
 pping/pping_kern.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/pping/TODO.md b/pping/TODO.md
index 1f792db..ec416d6 100644
--- a/pping/TODO.md
+++ b/pping/TODO.md
@@ -6,6 +6,8 @@
     - Timestamping pure ACKs may lead to erroneous RTTs (ex. delay
       between application attempting to send data being recognized as
       an RTT)
+  - [x] Skip non-ACKs for ingress
+    - The echoed TSecr is not valid if the ACK-flag is not set
   - [ ] Add fallback to SEQ/ACK in case of no timestamp?
     - Some machines may not use TCP timestamps (either not supported
       at all, or disabled as in ex. Windows 10)
diff --git a/pping/pping_kern.c b/pping/pping_kern.c
index 203f506..81441a4 100644
--- a/pping/pping_kern.c
+++ b/pping/pping_kern.c
@@ -153,6 +153,10 @@ static int parse_tcp_identifier(struct parsing_context *ctx, __be16 *sport,
 	    !tcph->syn)
 		return -1;
 
+	// Do not match on non-ACKs (TSecr not valid)
+	if (!ctx->is_egress && !tcph->ack)
+		return -1;
+
 	// Check if connection is opening/closing
 	if (tcph->syn) {
 		fei->event = FLOW_EVENT_OPENING;