On Fri, 22 May 2009, Anatoly Muliarski wrote: > > This is the main problem: we can never be sure the packets which are seen > > by firewall do really reach the destination or they order is preserved. > We could save the LAST sequence number as a current one. > So we keep the connection and mark the current RST as invalid and > correctly react on the following ones. Unfortunately this does not > solve the main problem - unable to know whether the received sequence > number is valid or not. As an vague idea - we could track the ack > number from other direction and so keep the last delivered sequence > number. What can say about it? Relying on the last ACK received from the other direction looks promising. We record the last (highest) ACK sent by both endpoints, which makes sure the packet they ack they did indeed received. And we accept a RST segment only if it's in the window we calculate (wider than the destination's) AND equal or higher than the saved last ACK from the other direction. The only downside is that new fields must be added to struct ip_ct_tcp. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html