Re: [PATCH 1/1] netfilter: Ignore bogus SACK option values in TCP conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 03, 2013 at 09:31:19AM +0200, Jozsef Kadlecsik wrote:
> On Mon, 2 Sep 2013, Phil Oester wrote:
> > But if conntrack were being "liberal" then it wouldn't care about the 
> > value of the ACKs either, no?  This sort of defeats the purpose of TCP 
> > window tracking.
> 
> No, it doesn't defeat it - we fall back to checking the ACK value against 
> the window.
> 
> > At the very least, this workaround should be dependent upon 
> > nf_conntrack_tcp_be_liberal != 0.
> > 
> > Also note that David Miller refused to accept a patch working around this
> > issue in the TCP stack [1].  Why should netfilter do so?
> > 
> > [1] http://marc.info/?l=linux-netdev&m=137714232805063&w=2
> 
> The purpose of that patch is to get back as much performance of TCP as 
> possible, by working around the broken SACK options.
> 
> This patch lets the traffic at least through, otherwise it's simply 
> blocked by conntrack. Similarly to the TCP stack, conntrack should ignore 
> bogus SACK values instead of effectively dropping the stream.
> 
> This is a long time issue. To be honest, I believed such anonymizer 
> devices would have disappeared (fixed) by now. However it is apparently 
> not so and at the same time conntrack actually breaks TCP robustness. 
> Therefore I think it should be fixed.

This should still only be allowed if nf_conntrack_tcp_be_liberal is enabled
IMHO (or some new sysctl like nf_conntrack_tcp_sack_be_liberal?).  Personally
I don't care about these broken middleboxes, and would rather not have SACK
validation disabled by default.  

Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux