From: Phil Oester <kernel@linuxace.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>,
Corey Hickey <bugfood-ml@fatooh.org>
Subject: Re: [PATCH 1/1] netfilter: Ignore bogus SACK option values in TCP conntrack
Date: Wed, 4 Sep 2013 09:54:03 -0700 [thread overview]
Message-ID: <20130904165403.GA13703@linuxace.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1309030858120.2504@blackhole.kfki.hu>
On Tue, Sep 03, 2013 at 09:31:19AM +0200, Jozsef Kadlecsik wrote:
> On Mon, 2 Sep 2013, Phil Oester wrote:
> > But if conntrack were being "liberal" then it wouldn't care about the
> > value of the ACKs either, no? This sort of defeats the purpose of TCP
> > window tracking.
>
> No, it doesn't defeat it - we fall back to checking the ACK value against
> the window.
>
> > At the very least, this workaround should be dependent upon
> > nf_conntrack_tcp_be_liberal != 0.
> >
> > Also note that David Miller refused to accept a patch working around this
> > issue in the TCP stack [1]. Why should netfilter do so?
> >
> > [1] http://marc.info/?l=linux-netdev&m=137714232805063&w=2
>
> The purpose of that patch is to get back as much performance of TCP as
> possible, by working around the broken SACK options.
>
> This patch lets the traffic at least through, otherwise it's simply
> blocked by conntrack. Similarly to the TCP stack, conntrack should ignore
> bogus SACK values instead of effectively dropping the stream.
>
> This is a long time issue. To be honest, I believed such anonymizer
> devices would have disappeared (fixed) by now. However it is apparently
> not so and at the same time conntrack actually breaks TCP robustness.
> Therefore I think it should be fixed.
This should still only be allowed if nf_conntrack_tcp_be_liberal is enabled
IMHO (or some new sysctl like nf_conntrack_tcp_sack_be_liberal?). Personally
I don't care about these broken middleboxes, and would rather not have SACK
validation disabled by default.
Phil
next prev parent reply other threads:[~2013-09-04 16:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-02 18:57 [PATCH 0/1] netfilter: Ignore bogus SACK option values in TCP conntrack Jozsef Kadlecsik
2013-09-02 18:58 ` [PATCH 1/1] " Jozsef Kadlecsik
2013-09-02 20:39 ` Corey Hickey
2013-09-02 21:57 ` Phil Oester
2013-09-03 7:31 ` Jozsef Kadlecsik
2013-09-04 16:54 ` Phil Oester [this message]
2013-09-13 20:16 ` Jozsef Kadlecsik
2013-09-15 16:22 ` Phil Oester
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130904165403.GA13703@linuxace.com \
--to=kernel@linuxace.com \
--cc=bugfood-ml@fatooh.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).