From: Patrick McHardy <kaber@trash.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: conntrack: improve out-of-sync situation in TCP tracking
Date: Mon, 23 Nov 2009 10:38:07 +0100 [thread overview]
Message-ID: <4B0A57FF.4020901@trash.net> (raw)
In-Reply-To: <alpine.DEB.2.00.0911202038280.10259@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> On Thu, 19 Nov 2009, Patrick McHardy wrote:
>
>> Pablo Neira Ayuso wrote:
>>> Without this patch, if we receive a SYN packet from the client while
>>> the firewall is out-of-sync, we let it go through. Then, if we see
>>> the SYN/ACK reply coming from the server, we destroy the conntrack
>>> entry and drop the packet to trigger a new retransmission. Then,
>>> the retransmision from the client is used to start a new clean
>>> session.
>>>
>>> This patch improves the current handling. Basically, if we see an
>>> unexpected SYN packet, we annotate the TCP options. Then, if we
>>> see the reply SYN/ACK, this means that the firewall was indeed
>>> out-of-sync. Therefore, we set a clean new session from the existing
>>> entry based on the annotated values.
>>>
>>> This patch adds two new 8-bits fields that fit in a 16-bits gap of
>>> the ip_ct_tcp structure.
>>>
>>> This patch is particularly useful for conntrackd since the
>>> asynchronous nature of the state-synchronization allows to have
>>> backup nodes that are not perfect copies of the master. This helps
>>> to improve the recovery under some worst-case scenarios.
>> This seems like a good idea to me. I'd like to get an ACK from
>> Jozsef before I apply this though since he knows this code way
>> better than I do :)
>
> Yes, it's a good idea and looks fine to me:
>
> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Applied, thanks everyone.
prev parent reply other threads:[~2009-11-23 9:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-14 11:09 [PATCH] better handling for TCP out-of-sync tracking Pablo Neira Ayuso
2009-11-14 11:10 ` [PATCH] netfilter: conntrack: improve out-of-sync situation in TCP tracking Pablo Neira Ayuso
2009-11-19 15:14 ` Patrick McHardy
2009-11-20 19:39 ` Jozsef Kadlecsik
2009-11-23 9:38 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B0A57FF.4020901@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.