Re: TCP simultaneous open using iptables NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

one question about that:
How can the host receive the SYN packet (and afterwards send the RST), if 
conntrack does not support TCP simultaneous open?

Thanks
Christoph

On Sat May 30 2009 wrote Jozsef Kadlecsik:
> [Back to your original mail.]
>
> Netfilter conntrack/NAT does *not* generate any kind of packet. If you see
> RST segments, those are then sent by the receiver of the SYN packet
> because there's no open socket yet.
>
> You can successfully build up simultaneous open connections only if you
> use good timings: both hosts send the initial SYNs *before* the SYN from
> the other side is delivered to them. Or, intentionally ignore (drop) the
> RST segments.
>
> Adding TCP simultaneous open support to netfilter conntrack is not hard
> but needs more testing before release.
>
> Best regards,
> Jozsef

--
Christoph Paasch

www.rollerbulls.be
--

Attachment: signature.asc
Description: This is a digitally signed message part.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux