Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Roberto Nibali <ratz@tac.ch>]

> Good catch: not required so I removed the dependency from the info
> file in svn.

Verified. Another thing is the link to Guido's paper. For me this is not working
anymore. So instead of linking the dead (if in fact it's dead) link:

    http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz

You could do following:

a. Put a mirror link into the document, e.g:

     http://www.madison-gurkha.com/publications/tcp_filtering/tcp_filtering.ps

b. Download the PS or PDF version of the paper and put it onto the Documentation
   section under "Various other docs", ITIM:

     http://www.netfilter.org/documentation/index.html#documentation-other

This also concerns the patch IMHO, so option b is maybe preferred.

> The last update sent to 2.6 kernel inclusion created the major difference
> between the two flavours. Now they are in sync and the most important
> fixes are in no particular order

Awesome, thanks. For the record, we're talking about the following changes:

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&r1=4018&r2=4073

> - Article on which the code is based falsely
>   assumed that packets must fit completely into
>   the window: packets must at least overlap, logic fixed
> - Reopening connections now done properly
> - We handle ACK packets sent by server to late resent SYNs too
> - Arbitrary RST segments could cause connection
>   teardown, fixed.

Daniel, I hope you don't mind that I've cc'd you out of the blue sky regarding
this issue. However, I'd like you, if possible, to comment on the possible
semantic differences between the window tracking implementation in OpenBSD pf
(also based on the Guido paper) and the current netfilter one. The relevant
patch on the netfilter part can be found at:

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&view=markup

It would be nice to have a second opinion regarding the tcp state transitions,
the SACK handling and the tcp_in_window() function, which is most critical.
We're probably talking about this gem, among others:

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/net/pf.c?rev=1.493&content-type=text/plain

If it's not possible, drop me a private email and we'll meet somewhere in Zürich
in a bar along the Limmat for a beer to discuss this ;).

Best Regards,
Roberto Nibali, ratz
-- 
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau  tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------