On Fri, 2013-08-09 at 17:21 -0700, Yuchung Cheng wrote: > Currently the conntrack checks if the ending sequence of a packet > falls within the observed receive window. However it does so even > if it has not observe any packet from the remote yet and uses an > uninitialized receive window (td_maxwin). > > If a connection uses Fast Open to send a SYN-data packet which is > dropped afterward in the network. The subsequent SYNs retransmits > will all fail this check and be discarded, leading to a connection > timeout. This is because the SYN retransmit does not contain data > payload so > > end == initial sequence number (isn) + 1 > sender->td_end == isn + syn_data_len > receiver->td_maxwin == 0 > > The fix is to only apply this check after td_maxwin is initialized. > > Reported-by: Michael Chan <mcfchan@xxxxxxxxxxxx> > Signed-off-by: Yuchung Cheng <ycheng@xxxxxxxxxx> > --- Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
