RE: SYNPROXY, packet loss, and window sizes

Llorente Santos Jesus <jesus.llorente.santos@xxxxxxxx> · Sat, 17 Mar 2018 10:57:23 +0000

Hi Remy,

I am also using a SYNPROXY in some of my scenarios. I would like to try and replicate your setup to better understand the situation. Could this be an issue with the client's TCP stack? In any case, can you indicate what OS are you running on the client side. Also, if you could make a pcap file available that'd be most helpful!

Best,
Jesus

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Remy de Boer
Sent: 16 March 2018 12:49
To: netfilter@xxxxxxxxxxxxxxx
Subject: SYNPROXY, packet loss, and window sizes

Hi all,

We've been running into some trouble using SYNPROXY in a scenario where there's some packet loss outside of our network.

Regularly, when a client connects to a server using SYNPROXY, a TCP handshake is performed where the server sends window size of 0. The client responds with an ACK, the server sends a window update and we can start using the connection. We're running into trouble where the following situation occurs:

Client --SYN--> Server
Server --SYN-ACK--> Client
Client --ACK--> Server **LOST**

After the ACK from the client to the server is lost, no window update is ever sent to the client, so no data is transmitted across the connection. The client starts sending keepalive packets and eventually times out.

Is there any way to prevent this from happening?

-Remy
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥