Jozsef Kadlecsik wrote: > On Thu, 19 Nov 2009, Patrick McHardy wrote: > >> Pablo Neira Ayuso wrote: >>> Without this patch, if we receive a SYN packet from the client while >>> the firewall is out-of-sync, we let it go through. Then, if we see >>> the SYN/ACK reply coming from the server, we destroy the conntrack >>> entry and drop the packet to trigger a new retransmission. Then, >>> the retransmision from the client is used to start a new clean >>> session. >>> >>> This patch improves the current handling. Basically, if we see an >>> unexpected SYN packet, we annotate the TCP options. Then, if we >>> see the reply SYN/ACK, this means that the firewall was indeed >>> out-of-sync. Therefore, we set a clean new session from the existing >>> entry based on the annotated values. >>> >>> This patch adds two new 8-bits fields that fit in a 16-bits gap of >>> the ip_ct_tcp structure. >>> >>> This patch is particularly useful for conntrackd since the >>> asynchronous nature of the state-synchronization allows to have >>> backup nodes that are not perfect copies of the master. This helps >>> to improve the recovery under some worst-case scenarios. >> This seems like a good idea to me. I'd like to get an ACK from >> Jozsef before I apply this though since he knows this code way >> better than I do :) > > Yes, it's a good idea and looks fine to me: > > Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Applied, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
