From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@davemloft.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: [PATCH 2.6.10 1/4]: Improve TCP window tracking retransmission detection
Date: Fri, 04 Feb 2005 04:05:10 +0100 [thread overview]
Message-ID: <4202E666.8020707@trash.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 540 bytes --]
The TCP window tracking code detects retransmissions by counting the number
of dup-ACKs. Phil Oester points out that the current retransmission
detection has
false positives under very common conditions, multiple ACKs for different
sequence numbers arriving back-to-back. The problem is that the window
tracking
code doesn't look at the ACKed sequence number, but only at the start and
end sequence number of the current packet. This patch fixes the problem
by making
the code remeber and check against the last ACKed sequence number.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-patch, Size: 4258 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/02/01 14:14:17+01:00 kernel@linuxace.com
# [NETFILTER]: Improve TCP window tracking retransmission detection
#
# Under certain circumstances (high latency WAN links for instance), ack
# packets get stacked up and arrive in bulk. The current TCP window
# tracking code interprets these numerous acks as retransmits, and
# if there are >= 3 retransmits sequentially, it resets the timeout on
# a conntrack to 5 minutes.
#
# The problem lies in the fact that the code currently only examines
# the seq number of the arriving packet, but does not also look at the
# seq number being acked. The patch below adds this additional check.
# Unfortunately, it adds another int32 to ip_ct_tcp, but I could think
# of no other fool-proof way of fixing it (short of ripping out the
# retransmission test altogether).
#
# Signed-off-by: Phil Oester <kernel@linuxace.com>
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/ipv4/netfilter/ip_conntrack_proto_tcp.c
# 2005/02/01 14:14:08+01:00 kernel@linuxace.com +2 -0
# [NETFILTER]: Improve TCP window tracking retransmission detection
#
# Under certain circumstances (high latency WAN links for instance), ack
# packets get stacked up and arrive in bulk. The current TCP window
# tracking code interprets these numerous acks as retransmits, and
# if there are >= 3 retransmits sequentially, it resets the timeout on
# a conntrack to 5 minutes.
#
# The problem lies in the fact that the code currently only examines
# the seq number of the arriving packet, but does not also look at the
# seq number being acked. The patch below adds this additional check.
# Unfortunately, it adds another int32 to ip_ct_tcp, but I could think
# of no other fool-proof way of fixing it (short of ripping out the
# retransmission test altogether).
#
# Signed-off-by: Phil Oester <kernel@linuxace.com>
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# include/linux/netfilter_ipv4/ip_conntrack_tcp.h
# 2005/02/01 14:14:07+01:00 kernel@linuxace.com +1 -0
# [NETFILTER]: Improve TCP window tracking retransmission detection
#
# Under certain circumstances (high latency WAN links for instance), ack
# packets get stacked up and arrive in bulk. The current TCP window
# tracking code interprets these numerous acks as retransmits, and
# if there are >= 3 retransmits sequentially, it resets the timeout on
# a conntrack to 5 minutes.
#
# The problem lies in the fact that the code currently only examines
# the seq number of the arriving packet, but does not also look at the
# seq number being acked. The patch below adds this additional check.
# Unfortunately, it adds another int32 to ip_ct_tcp, but I could think
# of no other fool-proof way of fixing it (short of ripping out the
# retransmission test altogether).
#
# Signed-off-by: Phil Oester <kernel@linuxace.com>
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
--- a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2005-02-04 03:35:39 +01:00
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2005-02-04 03:35:39 +01:00
@@ -41,6 +41,7 @@
u_int8_t retrans; /* Number of retransmitted packets */
u_int8_t last_index; /* Index of the last packet */
u_int32_t last_seq; /* Last sequence number seen in dir */
+ u_int32_t last_ack; /* Last sequence number seen in opposite dir */
u_int32_t last_end; /* Last seq + len */
};
diff -Nru a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-02-04 03:35:39 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-02-04 03:35:39 +01:00
@@ -665,11 +665,13 @@
if (*index == TCP_ACK_SET) {
if (state->last_dir == dir
&& state->last_seq == seq
+ && state->last_ack == ack
&& state->last_end == end)
state->retrans++;
else {
state->last_dir = dir;
state->last_seq = seq;
+ state->last_ack = ack;
state->last_end = end;
state->retrans = 0;
}
reply other threads:[~2005-02-04 3:05 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4202E666.8020707@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.