From: Luca Pesce <pesce.luca@gmail.com>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: xt_TCPMSS target dropping SYN packets with data: suggested mod
Date: Fri, 17 Jul 2009 09:44:08 +0200 [thread overview]
Message-ID: <873dce860907170044v45353d01sd5f0c5305e9ffdb8@mail.gmail.com> (raw)
In-Reply-To: <4A5F0C41.5030101@plouf.fr.eu.org>
Hi,
Pascal Hambourg<pascal.mail@plouf.fr.eu.org> wrote:
> When the receiver has SYN cookies enabled, it replies to a SYN with a
> SYN-ACK as usual, but does not keep any state for it. Instead the state is
> stored in the ISN (used as a "cookie") of the SYN-ACK and will come back in
> the final ACK of the 3-way handshake. Not keeping state means that any data
> contained in the first SYN segment are discarded.
thanks for your explanation!
Ok, so if the receiver is using syn cookies, the data in the SYN would
be discarded,
and that is fine. But the current implementation of TCPMSS target is
dropping the
whole syn packet (if it is carrying any payload), so the receiver is
not receiving
the syn - in that case, the TCP connection could not be established.
Again, I know that this scenario is very rare and awkward, I wan only thinking
about relaxing that check in the TCPMSS target to let this SYN with data go
through and establish the TCP connection, without caring too much
about the payload.
next prev parent reply other threads:[~2009-07-17 7:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-09 13:41 xt_TCPMSS target dropping SYN packets with data: suggested mod Luca Pesce
2009-07-15 15:38 ` Patrick McHardy
2009-07-16 7:15 ` Luca Pesce
2009-07-16 11:17 ` Pascal Hambourg
2009-07-17 7:44 ` Luca Pesce [this message]
2009-07-17 9:46 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=873dce860907170044v45353d01sd5f0c5305e9ffdb8@mail.gmail.com \
--to=pesce.luca@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).