The netfilter TCP conntrack used to mark packets with bogus SACK option values as INVALID. However, it seems broken SEQ anonymizers, which are responsible for such traffic, are not going to die out soon and conntrack effectively blocks traffic coming through such devices. Better be liberal at conntrack level: when SACK is bogus, ignore it. Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Reported-by: Corey Hickey <bugfood-ml@xxxxxxxxxx> Tested-by: Corey Hickey <bugfood-ml@xxxxxxxxxx> --- net/netfilter/nf_conntrack_proto_tcp.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 44d1ea3..cd67de8 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -640,6 +640,11 @@ static bool tcp_in_window(const struct nf_conn *ct, in_recv_win = !receiver->td_maxwin || after(end, sender->td_end - receiver->td_maxwin - 1); + /* Fall back to ACK when SACK is bogus */ + if (!(before(sack, receiver->td_end + 1) && + after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1))) + sack = ack; + pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", before(seq, sender->td_maxend + 1), (in_recv_win ? 1 : 0), -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html