On 2013-09-02 11:58, Jozsef Kadlecsik wrote:
> The netfilter TCP conntrack used to mark packets with bogus SACK option
> values as INVALID. However, it seems broken SEQ anonymizers, which are
> responsible for such traffic, are not going to die out soon and conntrack
> effectively blocks traffic coming through such devices.
>
> Better be liberal at conntrack level: when SACK is bogus, ignore it.
>
> Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
> Reported-by: Corey Hickey <bugfood-ml@xxxxxxxxxx>
> Tested-by: Corey Hickey <bugfood-ml@xxxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_proto_tcp.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 44d1ea3..cd67de8 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -640,6 +640,11 @@ static bool tcp_in_window(const struct nf_conn *ct,
> in_recv_win = !receiver->td_maxwin ||
> after(end, sender->td_end - receiver->td_maxwin - 1);
>
> + /* Fall back to ACK when SACK is bogus */
> + if (!(before(sack, receiver->td_end + 1) &&
> + after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)))
> + sack = ack;
> +
> pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
> before(seq, sender->td_maxend + 1),
> (in_recv_win ? 1 : 0),
>
I've been running Jozsef's patch on linux-next compiled on 2013-08-19. I
can confirm that it fixes the problem I'm having with broken SEQ
randomization on FWSM, and I haven't seen any problems caused by it.
http://www.spinics.net/lists/netdev/msg246898.html
I'm still planning to work with my boss to disable SEQ randomization,
hopefully this week.
Thanks,
Corey
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
