Per site de-window-scaling

Per site de-window-scaling

[Stephen Hemminger]

Is there a simple way with netfilter to do per-site TCP SYN mangling
to remove the window scale option?  That way sites that have window-scale
corrupting firewalls could be blacklisted.

Re: Per site de-window-scaling

[David S. Miller]

On Thu, 2 Sep 2004 12:01:44 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> Is there a simple way with netfilter to do per-site TCP SYN mangling
> to remove the window scale option?  That way sites that have window-scale
> corrupting firewalls could be blacklisted.

We could make this a routing metric, RTAX_MAX_WINDOW or something.

Re: Per site de-window-scaling

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1015 bytes --]

On Thu, Sep 02, 2004 at 12:01:44PM -0700, Stephen Hemminger wrote:
> Is there a simple way with netfilter to do per-site TCP SYN mangling
> to remove the window scale option?  That way sites that have window-scale
> corrupting firewalls could be blacklisted.

Yes, this is possible with a quite simple piece of code similar to what
I did with the 'ECN' target for known ECN blackholes. 

All you do is to iterate over the tcp options and NOP out the window
scaling options. 

Please don't copy any of the mistakes we did before, like the option
parsing signedness bug, or overwriting with '0' (end of options) instead
of NOP ;)

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]