On Thu, 19 Nov 2009, Patrick McHardy wrote: > Pablo Neira Ayuso wrote: > > Without this patch, if we receive a SYN packet from the client while > > the firewall is out-of-sync, we let it go through. Then, if we see > > the SYN/ACK reply coming from the server, we destroy the conntrack > > entry and drop the packet to trigger a new retransmission. Then, > > the retransmision from the client is used to start a new clean > > session. > > > > This patch improves the current handling. Basically, if we see an > > unexpected SYN packet, we annotate the TCP options. Then, if we > > see the reply SYN/ACK, this means that the firewall was indeed > > out-of-sync. Therefore, we set a clean new session from the existing > > entry based on the annotated values. > > > > This patch adds two new 8-bits fields that fit in a 16-bits gap of > > the ip_ct_tcp structure. > > > > This patch is particularly useful for conntrackd since the > > asynchronous nature of the state-synchronization allows to have > > backup nodes that are not perfect copies of the master. This helps > > to improve the recovery under some worst-case scenarios. > > This seems like a good idea to me. I'd like to get an ACK from > Jozsef before I apply this though since he knows this code way > better than I do :) Yes, it's a good idea and looks fine to me: Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
