From: Patrick McHardy <kaber@trash.net>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org, mph@one.com, jesper.brouer@gmail.com,
as@one.com
Subject: Re: [PATCH RFC 0/5] netfilter: implement netfilter SYN proxy
Date: Wed, 7 Aug 2013 22:59:59 +0200 [thread overview]
Message-ID: <20130807205959.GC21463@macbook.localnet> (raw)
In-Reply-To: <1375898766.4004.37.camel@edumazet-glaptop>
On Wed, Aug 07, 2013 at 11:06:06AM -0700, Eric Dumazet wrote:
> On Wed, 2013-08-07 at 19:42 +0200, Patrick McHardy wrote:
>
> >
> > The SYNPROXY operates by marking the initial SYN from the client as UNTRACKED
> > and directing it to the SYNPROXY target. The target responds with a SYN/ACK
> > containing a cookie and encodes options such as window scaling factor, SACK
> > perm etc. into the timestamp, if timestamps are used (similar to TCP). The
> > window size is set to zero. The response is also sent as untracked packet.
>
> TCP timestamps are not really used, for various reasons ...
>
> Have you taken a look at
>
> <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html>
No, not yet, will have a look. Not sure what you mean by "TCP timestamps
are not really used" though. I might be biased by usually only looking at
Linux traffic, but I was under that impression that everyone is using
TCP timestamps nowadays?
next prev parent reply other threads:[~2013-08-07 20:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-07 17:42 [PATCH RFC 0/5] netfilter: implement netfilter SYN proxy Patrick McHardy
2013-08-07 17:42 ` [PATCH 1/5] netfilter: nf_conntrack: make sequence number adjustments usuable without NAT Patrick McHardy
2013-08-07 20:02 ` Jesper Dangaard Brouer
2013-08-07 17:42 ` [PATCH 2/5] net: syncookies: export cookie_v4_init_sequence/cookie_v4_check Patrick McHardy
2013-08-07 20:03 ` Jesper Dangaard Brouer
2013-08-07 17:42 ` [PATCH 3/5] netfilter: add SYNPROXY core/target Patrick McHardy
2013-08-07 20:26 ` Jesper Dangaard Brouer
2013-08-07 20:56 ` Patrick McHardy
2013-08-08 6:22 ` Patrick McHardy
2013-08-08 15:07 ` Jesper Dangaard Brouer
2013-08-08 8:04 ` Jesper Dangaard Brouer
2013-08-08 8:24 ` Patrick McHardy
2013-08-07 22:11 ` Eric Dumazet
2013-08-07 23:37 ` Patrick McHardy
2013-08-08 6:34 ` Patrick McHardy
2013-08-07 17:42 ` [PATCH 4/5] net: syncookies: export cookie_v6_init_sequence/cookie_v6_check Patrick McHardy
2013-08-07 20:27 ` Jesper Dangaard Brouer
2013-08-07 17:42 ` [PATCH 5/5] netfilter: add IPv6 SYNPROXY target Patrick McHardy
2013-08-07 20:34 ` Jesper Dangaard Brouer
2013-08-07 20:57 ` Patrick McHardy
2013-08-07 18:06 ` [PATCH RFC 0/5] netfilter: implement netfilter SYN proxy Eric Dumazet
2013-08-07 20:59 ` Patrick McHardy [this message]
2013-08-07 21:05 ` Hannes Frederic Sowa
2013-08-07 21:24 ` Patrick McHardy
2013-08-07 21:39 ` Eric Dumazet
2013-08-07 23:40 ` David Miller
2013-08-08 0:04 ` Hannes Frederic Sowa
2013-08-08 0:13 ` Patrick McHardy
2013-08-09 13:55 ` Neal Cardwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130807205959.GC21463@macbook.localnet \
--to=kaber@trash.net \
--cc=as@one.com \
--cc=eric.dumazet@gmail.com \
--cc=jesper.brouer@gmail.com \
--cc=mph@one.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.