On Sat, Aug 10, 2013 at 03:01:36PM +0200, Jozsef Kadlecsik wrote: > On Fri, 9 Aug 2013, Yuchung Cheng wrote: > > > Currently the conntrack checks if the ending sequence of a packet > > falls within the observed receive window. However it does so even > > if it has not observe any packet from the remote yet and uses an > > uninitialized receive window (td_maxwin). > > > > If a connection uses Fast Open to send a SYN-data packet which is > > dropped afterward in the network. The subsequent SYNs retransmits > > will all fail this check and be discarded, leading to a connection > > timeout. This is because the SYN retransmit does not contain data > > payload so > > > > end == initial sequence number (isn) + 1 > > sender->td_end == isn + syn_data_len > > receiver->td_maxwin == 0 > > > > The fix is to only apply this check after td_maxwin is initialized. > > > > Reported-by: Michael Chan <mcfchan@xxxxxxxxxxxx> > > Signed-off-by: Yuchung Cheng <ycheng@xxxxxxxxxx> > > Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Applied, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
