From: Phil Oester <kernel@linuxace.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>,
Corey Hickey <bugfood-ml@fatooh.org>
Subject: Re: [PATCH 1/1] netfilter: Ignore bogus SACK option values in TCP conntrack
Date: Wed, 4 Sep 2013 09:54:03 -0700 [thread overview]
Message-ID: <20130904165403.GA13703@linuxace.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1309030858120.2504@blackhole.kfki.hu>
On Tue, Sep 03, 2013 at 09:31:19AM +0200, Jozsef Kadlecsik wrote:
> On Mon, 2 Sep 2013, Phil Oester wrote:
> > But if conntrack were being "liberal" then it wouldn't care about the
> > value of the ACKs either, no? This sort of defeats the purpose of TCP
> > window tracking.
>
> No, it doesn't defeat it - we fall back to checking the ACK value against
> the window.
>
> > At the very least, this workaround should be dependent upon
> > nf_conntrack_tcp_be_liberal != 0.
> >
> > Also note that David Miller refused to accept a patch working around this
> > issue in the TCP stack [1]. Why should netfilter do so?
> >
> > [1] http://marc.info/?l=linux-netdev&m=137714232805063&w=2
>
> The purpose of that patch is to get back as much performance of TCP as
> possible, by working around the broken SACK options.
>
> This patch lets the traffic at least through, otherwise it's simply
> blocked by conntrack. Similarly to the TCP stack, conntrack should ignore
> bogus SACK values instead of effectively dropping the stream.
>
> This is a long time issue. To be honest, I believed such anonymizer
> devices would have disappeared (fixed) by now. However it is apparently
> not so and at the same time conntrack actually breaks TCP robustness.
> Therefore I think it should be fixed.
This should still only be allowed if nf_conntrack_tcp_be_liberal is enabled
IMHO (or some new sysctl like nf_conntrack_tcp_sack_be_liberal?). Personally
I don't care about these broken middleboxes, and would rather not have SACK
validation disabled by default.
Phil
next prev parent reply other threads:[~2013-09-04 16:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-02 18:57 [PATCH 0/1] netfilter: Ignore bogus SACK option values in TCP conntrack Jozsef Kadlecsik
2013-09-02 18:58 ` [PATCH 1/1] " Jozsef Kadlecsik
2013-09-02 20:39 ` Corey Hickey
2013-09-02 21:57 ` Phil Oester
2013-09-03 7:31 ` Jozsef Kadlecsik
2013-09-04 16:54 ` Phil Oester [this message]
2013-09-13 20:16 ` Jozsef Kadlecsik
2013-09-15 16:22 ` Phil Oester
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130904165403.GA13703@linuxace.com \
--to=kernel@linuxace.com \
--cc=bugfood-ml@fatooh.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.