Weird results with tcp-window-tracking patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* Weird results with tcp-window-tracking patch
@ 2002-11-06 15:32 netfilter
  0 siblings, 0 replies; only message in thread
From: netfilter @ 2002-11-06 15:32 UTC (permalink / raw)
  To: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]

I have the tcp-window-tracking patch applied to my firewall's kernel.
For reference, the dates on the first hunk in the
./extra/tcp-window-tracking.patch are as follows:

--- linux-2.4.19-base/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:38:10 2002
+++ linux-2.4.19-tcp-window/include/linux/netfilter_ipv4/ip_conntrack_tcp.h Fri Oct 18 11:56:35 2002

Anyway, I have been seeing some strange results from the patch.  I
have lots of these from the last 12 or so hours:

04:16:48 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=1 PROTO=TCP SPT=57376 DPT=53 SEQ=232119966 ACK=1365344649 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 
04:16:49 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=2 PROTO=TCP SPT=57380 DPT=53 SEQ=2911162149 ACK=4054392719 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 
04:16:50 kernel SRC=195.33.98.115 DST=205.210.52.208 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=3 PROTO=TCP SPT=57382 DPT=53 SEQ=2104223658 ACK=1098213046 WINDOW=2048 RES=0x00 SYN URGP=0 ip_conntrack_tcp: INVALID: Out of window data; SEQ is under the lower bound (retransmitted already ACKed data) 

It seems to me that these are just regular run-of-the-mill initial SYN
packets (i.e. packet one of the TCP three-way handshake) for TCP DNS
queries of my name server (even though I don't have one -- from the
number of both UDP and TCP DNS queries I am getting, the previous
owner of my IP address must have a name server running).

Why would these be flagged as "Out of window data" packets when in
reality they are just a simple violation of the rules I have
installed?  Doesn't there have to be an established TCP session in
order to determine if there is any "Out of window data"?

b.

-- 
Brian J. Murrell

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2002-11-06 15:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-06 15:32 Weird results with tcp-window-tracking patch netfilter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.