[PATCH] fix tcp_default_win_scale.

[PATCH] fix tcp_default_win_scale.

[Stephen Hemminger]

Recent TCP changes exposed the problem that there ar lots of really broken firewalls 
that strip or alter TCP options.
When the options are modified TCP gets busted now.  The problem is that when
we propose window scaling, we expect that the other side receives the same initial
SYN request that we sent.  If there is corrupting firewalls that strip it then
the window we send is not correctly scaled; so the other side thinks there is not
enough space to send.

I propose that the following that will avoid sending window scaling that
is big enough to break in these cases unless the tcp_rmem has been increased.
It will keep default configuration from blowing in a corrupt world.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

diff -Nru a/include/linux/sysctl.h b/include/linux/sysctl.h
--- a/include/linux/sysctl.h	2004-07-06 11:45:18 -07:00
+++ b/include/linux/sysctl.h	2004-07-06 11:45:18 -07:00
@@ -337,7 +337,7 @@
  	NET_TCP_BIC=102,
  	NET_TCP_BIC_FAST_CONVERGENCE=103,
 	NET_TCP_BIC_LOW_WINDOW=104,
-	NET_TCP_DEFAULT_WIN_SCALE=105,
+/*	NET_TCP_DEFAULT_WIN_SCALE */
 	NET_TCP_MODERATE_RCVBUF=106,
 };
 
diff -Nru a/include/net/tcp.h b/include/net/tcp.h
--- a/include/net/tcp.h	2004-07-06 11:45:18 -07:00
+++ b/include/net/tcp.h	2004-07-06 11:45:18 -07:00
@@ -611,7 +611,6 @@
 extern int sysctl_tcp_bic;
 extern int sysctl_tcp_bic_fast_convergence;
 extern int sysctl_tcp_bic_low_window;
-extern int sysctl_tcp_default_win_scale;
 extern int sysctl_tcp_moderate_rcvbuf;
 
 extern atomic_t tcp_memory_allocated;
@@ -1690,6 +1689,13 @@
 		*ptr++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_WINDOW << 16) | (TCPOLEN_WINDOW << 8) | (wscale));
 }
 
+/* Default window scaling based on the size of the maximum window  */
+static inline __u8 tcp_default_win_scale(void)
+{
+	int b = ffs(sysctl_tcp_rmem[2]);
+	return (b < 17) ? 0 : b-16;
+}
+
 /* Determine a window scaling and initial window to offer.
  * Based on the assumption that the given amount of space
  * will be offered. Store the results in the tp structure.
@@ -1732,8 +1738,7 @@
 		    space - max((space>>sysctl_tcp_app_win), mss>>*rcv_wscale) < 65536/2)
 			(*rcv_wscale)--;
 
-		*rcv_wscale = max((__u8)sysctl_tcp_default_win_scale,
-				  *rcv_wscale);
+		*rcv_wscale = max(tcp_default_win_scale(), *rcv_wscale);
 	}
 
 	/* Set initial window to value enough for senders,
diff -Nru a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
--- a/net/ipv4/sysctl_net_ipv4.c	2004-07-06 11:45:18 -07:00
+++ b/net/ipv4/sysctl_net_ipv4.c	2004-07-06 11:45:18 -07:00
@@ -667,14 +667,6 @@
 		.proc_handler	= &proc_dointvec,
 	},
 	{
-		.ctl_name	= NET_TCP_DEFAULT_WIN_SCALE,
-		.procname	= "tcp_default_win_scale",
-		.data		= &sysctl_tcp_default_win_scale,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= &proc_dointvec,
-	},
-	{
 		.ctl_name	= NET_TCP_MODERATE_RCVBUF,
 		.procname	= "tcp_moderate_rcvbuf",
 		.data		= &sysctl_tcp_moderate_rcvbuf,
diff -Nru a/net/ipv4/tcp.c b/net/ipv4/tcp.c
--- a/net/ipv4/tcp.c	2004-07-06 11:45:18 -07:00
+++ b/net/ipv4/tcp.c	2004-07-06 11:45:18 -07:00
@@ -276,8 +276,6 @@
 
 atomic_t tcp_orphan_count = ATOMIC_INIT(0);
 
-int sysctl_tcp_default_win_scale = 7;
-
 int sysctl_tcp_mem[3];
 int sysctl_tcp_wmem[3] = { 4 * 1024, 16 * 1024, 128 * 1024 };
 int sysctl_tcp_rmem[3] = { 4 * 1024, 87380, 87380 * 2 };

Re: [PATCH] fix tcp_default_win_scale.

[Jamie Lokier]

Stephen Hemminger wrote:
> Recent TCP changes exposed the problem that there ar lots of really
> broken firewalls that strip or alter TCP options.  When the options
> are modified TCP gets busted now.  The problem is that when we
> propose window scaling, we expect that the other side receives the
> same initial SYN request that we sent.  If there is corrupting
> firewalls that strip it then the window we send is not correctly
> scaled; so the other side thinks there is not enough space to send.

If a firewall strips the window scaling option in both directions,
then window scaling is disabled (RFC 1323 section 2.2).

Are you saying there are broken firewalls which strip TCP options in
one direction only?

-- Jamie

Re: [PATCH] fix tcp_default_win_scale.

[Nivedita Singhvi]

Stephen Hemminger wrote:
> Recent TCP changes exposed the problem that there ar lots of really broken firewalls 
> that strip or alter TCP options.

We should not be accepting of this situation, surely. I mean, the firewalls
have to get fixed. Multiple things are breaking here, due to this. What
are the other options they are messing with, and and any idea why?

> When the options are modified TCP gets busted now.  The problem is that when
> we propose window scaling, we expect that the other side receives the same initial
> SYN request that we sent.  If there is corrupting firewalls that strip it then
> the window we send is not correctly scaled; so the other side thinks there is not
> enough space to send.

If the firewall is actually stripping the TCP window scaling option,
then that tells the other end that we can't *receive* scaled windows
either, since the option indicates both, we are sending and capable
of receiving. i.e. The other end will not send us scaled windows.
There is no way we can fix this on the rcv end.

> I propose that the following that will avoid sending window scaling that
> is big enough to break in these cases unless the tcp_rmem has been increased.
> It will keep default configuration from blowing in a corrupt world.

Does this need to be the default behaviour? Just how prevalent is
this??

thanks,
Nivedita

Re: [PATCH] fix tcp_default_win_scale.

[Stephen Hemminger]

On Tue, 6 Jul 2004 20:40:34 +0100
Jamie Lokier <jamie@shareable.org> wrote:

> Stephen Hemminger wrote:
> > Recent TCP changes exposed the problem that there ar lots of really
> > broken firewalls that strip or alter TCP options.  When the options
> > are modified TCP gets busted now.  The problem is that when we
> > propose window scaling, we expect that the other side receives the
> > same initial SYN request that we sent.  If there is corrupting
> > firewalls that strip it then the window we send is not correctly
> > scaled; so the other side thinks there is not enough space to send.
> 
> If a firewall strips the window scaling option in both directions,
> then window scaling is disabled (RFC 1323 section 2.2).
> 
> Are you saying there are broken firewalls which strip TCP options in
> one direction only?

It appears so.

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 20:40:34 +0100
Jamie Lokier <jamie@shareable.org> wrote:

> If a firewall strips the window scaling option in both directions,
> then window scaling is disabled (RFC 1323 section 2.2).
> 
> Are you saying there are broken firewalls which strip TCP options in
> one direction only?

It is this specific case:

1) SYN packet contains window scale option of ZERO.

   This says two things, that the system will use a window
   scale of ZERO and that it SUPPORTS send and receive window
   scaling.

   If the firewall were to delete this, we'd be OK, but it
   does not.  It leaves the option with zero in there.

2) SYN+ACK goes back out with non-zero window scale option.

   Note that because of #1, it is impossible for the system
   which sent the SYN packet to "refuse" the window scale
   option sent in the SYN+ACK.

   Here is where we have problems.  If the firewall patches
   the scale to zero, which is what some of these things
   are doing, it is then the firewall's responsibility to
   scale the window to make it appear to be zero-scaled.

   And this is not being done by these broken firewalls.

BTW, this is why it is so important to get tcpdump traces
at both ends of the connection to analyze problems like
this.  If you look at only one side with dumps, you might
not get the side that is getting packets edited by a
firewall or other device.

These machines are so broken that I absolutely refuse to change
how we behave to work around them.

If they want window scaling to be effectively disabled, they should
patch out the window scale option in the "SYN" packet, this prevents
the SYN+ACK sending system from advertising any window scaling support.

What these broken devices are doing is effectively making window
scaling unusable on the internet, and I refuse to swallow such
crap.

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 06 Jul 2004 13:00:07 -0700
Nivedita Singhvi <niv@us.ibm.com> wrote:

> Stephen Hemminger wrote:
> > Recent TCP changes exposed the problem that there ar lots of really broken firewalls 
> > that strip or alter TCP options.
> 
> We should not be accepting of this situation, surely. I mean, the firewalls
> have to get fixed. Multiple things are breaking here, due to this. What
> are the other options they are messing with, and and any idea why?

I totally agree with Nivedita, and that's why I'm not going to
apply Stephen's patch.

> If the firewall is actually stripping the TCP window scaling option,
> then that tells the other end that we can't *receive* scaled windows
> either, since the option indicates both, we are sending and capable
> of receiving. i.e. The other end will not send us scaled windows.
> There is no way we can fix this on the rcv end.
> 

That's correct.  If the SYN contains a window scale option, this tells
the SYN+ACK sending side that both receive and send side window scaling
is supported.  I think what's really happening is that the firewall is
patching the non-zero window scale option in the SYN+ACK  packet to be
zero, yet not adjusting the window field of packets in the rest of the
TCP stream.

> Does this need to be the default behaviour? Just how prevalent is
> this??

Frankly, I've personally seen none of this.  I sit on a DSL line with
no firewalling at my end and I can access all sites just fine.  This
seems to indicate that most of the breakage is local to the user's
point of access to the net, rather than a firewall at google.com
or kernel.org or similar.

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 20:58:56 +0200
Jan-Benedict Glaw <jbglaw@lug-owl.de> wrote:

> On Tue, 2004-07-06 11:47:41 -0700, Stephen Hemminger <shemminger@osdl.org>
> wrote in message <20040706114741.1bf98bbe@dell_ss3.pdx.osdl.net>:
> 
> > I propose that the following that will avoid sending window scaling that
> > is big enough to break in these cases unless the tcp_rmem has been increased.
> > It will keep default configuration from blowing in a corrupt world.
> 
> I'm not sure if this is the right way to react. I'd think it's okay to
> give the user the possibility to scale the window so that it works with
> his b0rk3d firewall, but default behavior should be to do whatever the
> protocol dictates/allows.

I totally agree, and that's why the sysctl is there for people to
tweak as they desire.

Jan, any particular reason you removed so much stuff (in particular
netdev@oss.sgi.com) from the CC: list in your posting here?

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 11:47:41 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> The problem is that when
> we propose window scaling, we expect that the other side receives the same initial
> SYN request that we sent.  If there is corrupting firewalls that strip it then
> the window we send is not correctly scaled; so the other side thinks there is not
> enough space to send.

Inaccurate analysis Stephen.

If the window option is edited out from the SYN by the firewall,
it is impossible for the receiving system to respond with any
window scaling option in the SYN+ACK packet.

If a window scale option is not present in the SYN, it means that
it does not support window scaling at all.

What must be really happening, therefore, is that the firewall is
patching the scale factor in the option, not deleting it outright.
And then it isn't properly rescaling the window field in the TCP
headers for the rest of the connection's lifetime.  That would explain
all of this.

We can confirm this by getting a trace at both ends of a sick connection,
and seeing if a non-zero window scale option gets patched to some other
value by the time it reaches the receiving system.

Then we will be aware of two bugs:

1) Cisco IOS, when NAT'ing, can mis-adjust SACK block options such
   that the sequence numbers are corrupt.

2) Some firewalls patch non-zero window scale options to be zero ones
   yet do not properly adjust the window field in TCP headers for the
   rest of the connection.

Re: [PATCH] fix tcp_default_win_scale.

[David Ford]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

It's been a while since I used a 1460 MTU for PPTP over DSL, but unless 
OSDN got a clue recently, their firewalls drop the ICMP for PMTU 
discovery.  Does anyone have a tool that exercises a bunch of TCP/IP 
options to detect such broken firewalls?

David

David S. Miller wrote:

>[...]
>Frankly, I've personally seen none of this.  I sit on a DSL line with
>no firewalling at my end and I can access all sites just fine.  This
>seems to indicate that most of the breakage is local to the user's
>point of access to the net, rather than a firewall at google.com
>or kernel.org or similar.
>

[-- Attachment #2: david+challenge-response.vcf --]
[-- Type: text/x-vcard, Size: 183 bytes --]

begin:vcard
fn:David Ford
n:Ford;David
email;internet:david@blue-labs.org
title:Industrial Geek
tel;home:Ask please
tel;cell:(203) 650-3611
x-mozilla-html:TRUE
version:2.1
end:vcard

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 13:05:49 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> On Tue, 6 Jul 2004 20:40:34 +0100
> Jamie Lokier <jamie@shareable.org> wrote:
> 
> > Are you saying there are broken firewalls which strip TCP options in
> > one direction only?
> 
> It appears so.

Ok, this is a possibility.  And why it breaks is that if the ACK
for the SYN+ACK comes back, the SYN+ACK sender can only assume
that the window scale was accepted.

Stephen, do you have a trace showing exactly this?

Re: [PATCH] fix tcp_default_win_scale.

[Stephen Hemminger]

On Tue, 6 Jul 2004 13:17:31 -0700
"David S. Miller" <davem@redhat.com> wrote:

> On Tue, 6 Jul 2004 20:58:56 +0200
> Jan-Benedict Glaw <jbglaw@lug-owl.de> wrote:
> 
> > On Tue, 2004-07-06 11:47:41 -0700, Stephen Hemminger <shemminger@osdl.org>
> > wrote in message <20040706114741.1bf98bbe@dell_ss3.pdx.osdl.net>:
> > 
> > > I propose that the following that will avoid sending window scaling that
> > > is big enough to break in these cases unless the tcp_rmem has been increased.
> > > It will keep default configuration from blowing in a corrupt world.
> > 
> > I'm not sure if this is the right way to react. I'd think it's okay to
> > give the user the possibility to scale the window so that it works with
> > his b0rk3d firewall, but default behavior should be to do whatever the
> > protocol dictates/allows.
> 
> I totally agree, and that's why the sysctl is there for people to
> tweak as they desire.
> 
> Jan, any particular reason you removed so much stuff (in particular
> netdev@oss.sgi.com) from the CC: list in your posting here?

The point is we are sending a bigger window scale then we need to.
The maximum receive window is limited by tcp_rmem[2], so we only need to
allow that much.  Having a different sysctl just for that is unnecessary and
potentially confusing.

The default tcp_rmem[2] is 174760, so we only need a wscale of 2 to represent
that. We were sending 7.

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 13:31:46 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> The default tcp_rmem[2] is 174760, so we only need a wscale of 2 to represent
> that. We were sending 7.

It's only going to paper over this problem, because a window scale
of 2 still gets edited by the firewalls yet doesn't cause the
kind of damage 7 does.

Also, using a value of 7 is very safe, because it handles even the
tinyest of MTU's in use today (512 byte SLIP connections, for example
can still advertise sub-MTU sized chunks in the window).  Since
a window scale of 7 allows a granularity of 128 octets.

RE: [PATCH] fix tcp_default_win_scale.

[Tim Berti]

How do i get off this list?

Tim Berti 
Senior Recruiter 
TECHNOLOGY SEARCH INTERNATIONAL 
1737 North First Street, Suite 600 
San Jose, CA. 95112 
http://www.tsearch.com 
Email: tim@tsearch.com 
Phone: 408-437-9500 Ext. 303 



-----Original Message-----
From: Stephen Hemminger [mailto:shemminger@osdl.org]
Sent: Tuesday, July 06, 2004 1:37 PM
To: David S. Miller
Cc: jamie@shareable.org; netdev@oss.sgi.com; linux-net@vger.kernel.org;
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fix tcp_default_win_scale.


On Tue, 6 Jul 2004 13:28:22 -0700
"David S. Miller" <davem@redhat.com> wrote:

> On Tue, 6 Jul 2004 13:05:49 -0700
> Stephen Hemminger <shemminger@osdl.org> wrote:
> 
> > On Tue, 6 Jul 2004 20:40:34 +0100
> > Jamie Lokier <jamie@shareable.org> wrote:
> > 
> > > Are you saying there are broken firewalls which strip TCP options in
> > > one direction only?
> > 
> > It appears so.
> 
> Ok, this is a possibility.  And why it breaks is that if the ACK
> for the SYN+ACK comes back, the SYN+ACK sender can only assume
> that the window scale was accepted.
> 
> Stephen, do you have a trace showing exactly this?

No, I don't have a br0ken firewall here.  I can get out fine.
When I setup with same kernel as packages.gentoo.org, it works fine as well.

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 13:36:41 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> > Ok, this is a possibility.  And why it breaks is that if the ACK
> > for the SYN+ACK comes back, the SYN+ACK sender can only assume
> > that the window scale was accepted.
> > 
> > Stephen, do you have a trace showing exactly this?
> 
> No, I don't have a br0ken firewall here.  I can get out fine.
> When I setup with same kernel as packages.gentoo.org, it works fine as well.

Therefore we do not know which of the following two it really is:

1) window scale option being stripped from SYN+ACK

2) non-zero window option being patched into a zero window
   scale option

The trace Bert Hubert will get with Alessandro will give us the
information we need.

Re: [PATCH] fix tcp_default_win_scale.

[Stephen Hemminger]

On Tue, 6 Jul 2004 13:28:22 -0700
"David S. Miller" <davem@redhat.com> wrote:

> On Tue, 6 Jul 2004 13:05:49 -0700
> Stephen Hemminger <shemminger@osdl.org> wrote:
> 
> > On Tue, 6 Jul 2004 20:40:34 +0100
> > Jamie Lokier <jamie@shareable.org> wrote:
> > 
> > > Are you saying there are broken firewalls which strip TCP options in
> > > one direction only?
> > 
> > It appears so.
> 
> Ok, this is a possibility.  And why it breaks is that if the ACK
> for the SYN+ACK comes back, the SYN+ACK sender can only assume
> that the window scale was accepted.
> 
> Stephen, do you have a trace showing exactly this?

No, I don't have a br0ken firewall here.  I can get out fine.
When I setup with same kernel as packages.gentoo.org, it works fine as well.

Re: [PATCH] fix tcp_default_win_scale.

[David Ford]

[-- Attachment #1: Type: text/plain, Size: 1783 bytes --]

By recruiting someone with enough of a technology clue to scroll to the 
bottom of the message and read: "To unsubscribe from ...."

:P

David
p.s. and I wonder why I have so little faith in marketing and HR.

Tim Berti wrote:

>How do i get off this list?
>
>Tim Berti 
>Senior Recruiter 
>TECHNOLOGY SEARCH INTERNATIONAL 
>1737 North First Street, Suite 600 
>San Jose, CA. 95112 
>http://www.tsearch.com 
>Email: tim@tsearch.com 
>Phone: 408-437-9500 Ext. 303 
>
>
>
>-----Original Message-----
>From: Stephen Hemminger [mailto:shemminger@osdl.org]
>Sent: Tuesday, July 06, 2004 1:37 PM
>To: David S. Miller
>Cc: jamie@shareable.org; netdev@oss.sgi.com; linux-net@vger.kernel.org;
>linux-kernel@vger.kernel.org
>Subject: Re: [PATCH] fix tcp_default_win_scale.
>
>
>On Tue, 6 Jul 2004 13:28:22 -0700
>"David S. Miller" <davem@redhat.com> wrote:
>
>  
>
>>On Tue, 6 Jul 2004 13:05:49 -0700
>>Stephen Hemminger <shemminger@osdl.org> wrote:
>>
>>    
>>
>>>On Tue, 6 Jul 2004 20:40:34 +0100
>>>Jamie Lokier <jamie@shareable.org> wrote:
>>>
>>>      
>>>
>>>>Are you saying there are broken firewalls which strip TCP options in
>>>>one direction only?
>>>>        
>>>>
>>>It appears so.
>>>      
>>>
>>Ok, this is a possibility.  And why it breaks is that if the ACK
>>for the SYN+ACK comes back, the SYN+ACK sender can only assume
>>that the window scale was accepted.
>>
>>Stephen, do you have a trace showing exactly this?
>>    
>>
>
>No, I don't have a br0ken firewall here.  I can get out fine.
>When I setup with same kernel as packages.gentoo.org, it works fine as well.
>-
>To unsubscribe from this list: send the line "unsubscribe linux-net" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>  
>

[-- Attachment #2: david+challenge-response.vcf --]
[-- Type: text/x-vcard, Size: 183 bytes --]

begin:vcard
fn:David Ford
n:Ford;David
email;internet:david@blue-labs.org
title:Industrial Geek
tel;home:Ask please
tel;cell:(203) 650-3611
x-mozilla-html:TRUE
version:2.1
end:vcard

Re: [PATCH] fix tcp_default_win_scale.

[John Heffner]

Another bit to addr to the firewall / window scale mess:  I remember from
a while ago that the Cisco PIX firewalls would not allow a window scale of
greater than 8.  I don't know if they've fixed this or not.  It seems
like some sort of arbitrary limit.

This is obviously not the problem people are seeing now, but could be a
problem in the future.

  -John

Re: [PATCH] fix tcp_default_win_scale.

[bert hubert]

On Tue, Jul 06, 2004 at 01:12:35PM -0700, David S. Miller wrote:

> It is this specific case:
> 
> 1) SYN packet contains window scale option of ZERO.

Not true - the outgoing SYN packet had window scale 7, when it was sent. The
SYN|ACK had window scale 0, when received by the initiating system.

Also - even if the remote were to assume a 47 byte window size, would it not
be able to send small packets? Or does the window size also include
packet haders?

Regards,

bert


-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Wed, 7 Jul 2004 00:44:53 +0200
bert hubert <ahu@ds9a.nl> wrote:

> Not true - the outgoing SYN packet had window scale 7, when it was sent. The
> SYN|ACK had window scale 0, when received by the initiating system.
> 
> Also - even if the remote were to assume a 47 byte window size, would it not
> be able to send small packets? Or does the window size also include
> packet haders?

SWS avoidance makes us not send packets.  See this quote in an email
from John Heffner the other week:

================================
To elaborate on my earlier mail. my hypothesis is that somehow the web
server beleives that we sent a winscale of 0.  In such a case, when we try
to advertise our initial 4*MSS (5840 bytes) of window, with a window scale
of 3 we use a value of 730 in the window field.  All sender SWS avoidance
(RFC1122) tests will fail, most notably 1 (because we already advertised
5840 bytes and 730 < 5840/2) and 3 (because 730 < 1460).  With a winscale
of 2, we will use a value of 1460 in the window field, so both tests will
succeed.
================================

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Tue, 6 Jul 2004 17:55:12 -0400 (EDT)
John Heffner <jheffner@psc.edu> wrote:

> Another bit to addr to the firewall / window scale mess:  I remember from
> a while ago that the Cisco PIX firewalls would not allow a window scale of
> greater than 8.  I don't know if they've fixed this or not.  It seems
> like some sort of arbitrary limit.

In what manner did it deal with > 8 window scales?  By rewriting the option
or deleting the option entirely from the SYN or SYN+ACK packets?

Re: [PATCH] fix tcp_default_win_scale.

[Andi Kleen]

I would not change anything, just suggest that users who sit
behind such a broken device do

echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

and yell loudly at their ISPs to get this fixed. Crippling the stack
by default just to work around such obvious bugs would be wrong.

In the past there were similar bugs with broken VJ header compression
algorithms that also corrupted window scaling. We just ignored
these and suggested to the users to turn it off. That worked fine.

[btw it's quite possible that this isn't a firewall, but also
some kind of header compression that is doing the wrong thing]

-Andi

Re: [PATCH] fix tcp_default_win_scale.

[Redeeman]

On Tue, 2004-07-06 at 11:47 -0700, Stephen Hemminger wrote:
> Recent TCP changes exposed the problem that there ar lots of really broken firewalls 
> that strip or alter TCP options.
> When the options are modified TCP gets busted now.  The problem is that when
> we propose window scaling, we expect that the other side receives the same initial
> SYN request that we sent.  If there is corrupting firewalls that strip it then
> the window we send is not correctly scaled; so the other side thinks there is not
> enough space to send.
> 
> I propose that the following that will avoid sending window scaling that
> is big enough to break in these cases unless the tcp_rmem has been increased.
> It will keep default configuration from blowing in a corrupt world.
so this should fix the issues? can you also tell me why this suddenly happend? that would make me a real happy man

> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: [PATCH] fix tcp_default_win_scale.

[John Heffner]

On Tue, 6 Jul 2004, David S. Miller wrote:

> On Tue, 6 Jul 2004 17:55:12 -0400 (EDT)
> John Heffner <jheffner@psc.edu> wrote:
>
> > Another bit to addr to the firewall / window scale mess:  I remember from
> > a while ago that the Cisco PIX firewalls would not allow a window scale of
> > greater than 8.  I don't know if they've fixed this or not.  It seems
> > like some sort of arbitrary limit.
>
> In what manner did it deal with > 8 window scales?  By rewriting the option
> or deleting the option entirely from the SYN or SYN+ACK packets?

I don't recall.  It was not as ugly as changing the option value.  It may
have just sent a RST.

  -John

Re: [PATCH] fix tcp_default_win_scale.

[Chris Wedgwood]

On Wed, Jul 07, 2004 at 01:16:00AM +0200, Andi Kleen wrote:

> [btw it's quite possible that this isn't a firewall, but also
> some kind of header compression that is doing the wrong thing]

... or some kind of nasty intrusive bandwidth molesting device like a
PacketShaper...


   --cw

Re: [PATCH] fix tcp_default_win_scale.

[Stephen Hemminger]

I do not argue with that the correct thing to do is to use window scaling
and find/fix the poor sop's stuck behind busted networks.

But: isn't it better to have just one sysctl parameter set (tcp_rmem)
and set the window scale as needed rather than increasing the already
bewildering array of dials and knobs?  I can't see why it would be advantageous
to set a window scale of 7 if the largest possible window ever offered
is limited to a smaller value? 

Re: [PATCH] fix tcp_default_win_scale.

[Jamie Lokier]

Stephen Hemminger wrote:
> But: isn't it better to have just one sysctl parameter set
> (tcp_rmem) and set the window scale as needed rather than increasing
> the already bewildering array of dials and knobs?  I can't see why
> it would be advantageous to set a window scale of 7 if the largest
> possible window ever offered is limited to a smaller value?

That's a fair question.

It seems to me the only effects of a larger scale than necessary
are (a) the buffer size can be increased after the connection is
established, and (b) coarser granularity which can only degrade
performance over low mss links.

So why do we set a larger window scale than necessary?
Is it to support (a)?

-- Jamie

Re: [PATCH] fix tcp_default_win_scale.

[bert hubert]

On Wed, Jul 07, 2004 at 08:31:25PM +0100, Jamie Lokier wrote:

> So why do we set a larger window scale than necessary?
> Is it to support (a)?

It might be useful to shake out the bugs of the internet - so far I have
indications that at least on residential ADSL router is responsible, it
removes wscale when doing TCP portforwarding.

If and when we decide to do larger rmem than now, we might have a better
chance.

Regards,

bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Re: [PATCH] fix tcp_default_win_scale.

[John Heffner]

On Wed, 7 Jul 2004, Stephen Hemminger wrote:

> I do not argue with that the correct thing to do is to use window scaling
> and find/fix the poor sop's stuck behind busted networks.
>
> But: isn't it better to have just one sysctl parameter set (tcp_rmem)
> and set the window scale as needed rather than increasing the already
> bewildering array of dials and knobs?  I can't see why it would be advantageous
> to set a window scale of 7 if the largest possible window ever offered
> is limited to a smaller value?


I personally agree with this.  One can imagine cases where it would be
useful to have a control on window scale, but the added complexity is
probably not worth it.

  -John

Re: [PATCH] fix tcp_default_win_scale.

[John Heffner]

On Tue, 6 Jul 2004, Stephen Hemminger wrote:

> +/* Default window scaling based on the size of the maximum window  */
> +static inline __u8 tcp_default_win_scale(void)
> +{
> +	int b = ffs(sysctl_tcp_rmem[2]);
> +	return (b < 17) ? 0 : b-16;
> +}


I would actually change this to be:

static inline __u8 tcp_select_win_scale(void)
{
	int b = ffs(tcp_win_from_space(max(sysctl_tcp_rmem[2], sysctl_rmem_max)));
	b = (b < 17) ? 0 : b-16;
	return max(b, 14);
}

Then you can also get rid of all the window scale calculation code in
tcp_select_initial_window().

  -John

Re: [PATCH] fix tcp_default_win_scale.

[David S. Miller]

On Wed, 7 Jul 2004 11:06:53 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> But: isn't it better to have just one sysctl parameter set (tcp_rmem)
> and set the window scale as needed rather than increasing the already
> bewildering array of dials and knobs?  I can't see why it would be advantageous
> to set a window scale of 7 if the largest possible window ever offered
> is limited to a smaller value? 

Stephen, here is what is going to happen if we apply your patch.

The default window scale will be 2, which is under the value which
starts to cause the problems which is 3.

So things will silently work, and most people will not notice the
problem.

I'd much rather bugs scream out saying "I'm a bug fix me!" than to
just silently linger around mostly unnoticed.