On 19/08/13 - 22:13:59, Jozsef Kadlecsik wrote: > On Mon, 19 Aug 2013, Eric Dumazet wrote: > > > On Mon, 2013-08-19 at 15:49 +0200, Christoph Paasch wrote: > > > > > It's a TCP-patch, that interprets duplicate-acks with invalid SACK-blocks as > > > duplicate acks in tcp_sock->sacked_out. > > > > Yeah, but here, this is conntrack who is blocking the thing. > > > > TCP receiver has no chance to 'fix' it. > > > > See conntrack is one of those buggy middle box as well. > > > > So if you want to properly handle this mess, you'll also have to fix > > conntrack. > > I beg you pardon: why conntrack should be relaxed, when it is expected > to do more strict TCP checkings (RFC5961, Section 5.). There is no mention of SACK in this RFC. The duplicate ACKs with invalid SACK-blocks are valid with respect to RFC5961, Section 5. Actually, no RFC says that dup-ACKs with invalid SACK-blocks should be discarded. Cheers, Christoph -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
