Jozsef Kadlecsik wrote:
> On Mon, 9 Jun 2008, Thomas Bätzler wrote:
>> In any case I'm wondering why netfilter doesn't consider
>> these packets to be part of a connection. Is there a
>> known problem with netfilter and TCP SACK?
>
> In these cases usually there is a device sitting between the
> firewall running netfilter and the server/client machine,
> which randomizes the TCP sequence numbers but fails to
> propagate the changes to the SACK fields.
> Thus the SACK values are totally bogus and therefore
> netfilter marks them as INVALID.
I thought of that, too, but it doesn't seem to be the case.
Let's have a look at an excerpt (tcpdump -S):
22:37:44.830784 IP gateway.41803 > server.37890: SWE 1599996997:1599996997(0) win 5840 <mss 1460,sackOK,timestamp 495055487 0,nop,wscale 7>
22:37:44.846411 IP server.37890 > gateway.41803: SE 23582050:23582050(0) ack 1599996998 win 5792 <mss 1460,sackOK,timestamp 49338617 495055487,nop,wscale 7>
22:37:44.846533 IP gateway.41803 > server.37890: . ack 23582051 win 46 <nop,nop,timestamp 495055488 49338617>
[...]
22:37:44.974253 IP gateway.41803 > server.37890: . 1600282667:1600284115(1448) ack 23582051 win 46 <nop,nop,timestamp 495055501 49338649>
[...]
22:37:44.989794 IP server.37890 > gateway.41803: . ack 1600281219 win 892 <nop,nop,timestamp 49338653 495055501>
22:37:44.990228 IP gateway.41803 > server.37890: . 1600358775:1600360223(1448) ack 23582051 win 46 <nop,nop,timestamp 495055502 49338653>
[...]
22:37:44.990397 IP server.37890 > gateway.41803: . ack 1600281219 win 892 <nop,nop,timestamp 49338653 495055501,nop,nop,sack 1 {1600282667:1600284115}>
22:37:44.990417 IP gateway.41803 > server.37890: R 1600281219:1600281219(0) win 0
As you can see, the SACK data matches a previously sent segment,
so it's not scrambled.
HTH,
Thomas
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
