On Tue, Sep 03, 2013 at 09:31:19AM +0200, Jozsef Kadlecsik wrote: > On Mon, 2 Sep 2013, Phil Oester wrote: > > But if conntrack were being "liberal" then it wouldn't care about the > > value of the ACKs either, no? This sort of defeats the purpose of TCP > > window tracking. > > No, it doesn't defeat it - we fall back to checking the ACK value against > the window. > > > At the very least, this workaround should be dependent upon > > nf_conntrack_tcp_be_liberal != 0. > > > > Also note that David Miller refused to accept a patch working around this > > issue in the TCP stack [1]. Why should netfilter do so? > > > > [1] http://marc.info/?l=linux-netdev&m=137714232805063&w=2 > > The purpose of that patch is to get back as much performance of TCP as > possible, by working around the broken SACK options. > > This patch lets the traffic at least through, otherwise it's simply > blocked by conntrack. Similarly to the TCP stack, conntrack should ignore > bogus SACK values instead of effectively dropping the stream. > > This is a long time issue. To be honest, I believed such anonymizer > devices would have disappeared (fixed) by now. However it is apparently > not so and at the same time conntrack actually breaks TCP robustness. > Therefore I think it should be fixed. This should still only be allowed if nf_conntrack_tcp_be_liberal is enabled IMHO (or some new sysctl like nf_conntrack_tcp_sack_be_liberal?). Personally I don't care about these broken middleboxes, and would rather not have SACK validation disabled by default. Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html