Luca Pesce a écrit :
Ok, so if the receiver is using syn cookies, the data in the SYN would be discarded, and that is fine.
Actually I don't know whether the data are discared or the whole SYN packet is. My feeling is that the receiver should not ACK a discarded segment, so the whole SYN packet should be discarded, maybe rejected with a RST.
But the current implementation of TCPMSS target is dropping the whole syn packet (if it is carrying any payload), so the receiver is not receiving the syn
I think this behaviour is wrong. As a general rule, I think that matches, targets or conntrack should not drop packets implicitly. If a target cannot handle the packet, just leave it unmodified (and possibly log a warning).
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
