Pablo Neira Ayuso wrote: > Without this patch, if we receive a SYN packet from the client while > the firewall is out-of-sync, we let it go through. Then, if we see > the SYN/ACK reply coming from the server, we destroy the conntrack > entry and drop the packet to trigger a new retransmission. Then, > the retransmision from the client is used to start a new clean > session. > > This patch improves the current handling. Basically, if we see an > unexpected SYN packet, we annotate the TCP options. Then, if we > see the reply SYN/ACK, this means that the firewall was indeed > out-of-sync. Therefore, we set a clean new session from the existing > entry based on the annotated values. > > This patch adds two new 8-bits fields that fit in a 16-bits gap of > the ip_ct_tcp structure. > > This patch is particularly useful for conntrackd since the > asynchronous nature of the state-synchronization allows to have > backup nodes that are not perfect copies of the master. This helps > to improve the recovery under some worst-case scenarios. This seems like a good idea to me. I'd like to get an ACK from Jozsef before I apply this though since he knows this code way better than I do :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
