| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Aug 2013 22:43:07 +0200 From: Christoph Paasch <christoph.paasch@...ouvain.be> To: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu> Cc: Eric Dumazet <eric.dumazet@...il.com>, Corey Hickey <bugfood-ml@...ooh.org>, Linux Netdev List <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Subject: Re: NAT stops forwarding ACKs after PMTU discovery On 19/08/13 - 22:13:59, Jozsef Kadlecsik wrote: > On Mon, 19 Aug 2013, Eric Dumazet wrote: > > > On Mon, 2013-08-19 at 15:49 +0200, Christoph Paasch wrote: > > > > > It's a TCP-patch, that interprets duplicate-acks with invalid SACK-blocks as > > > duplicate acks in tcp_sock->sacked_out. > > > > Yeah, but here, this is conntrack who is blocking the thing. > > > > TCP receiver has no chance to 'fix' it. > > > > See conntrack is one of those buggy middle box as well. > > > > So if you want to properly handle this mess, you'll also have to fix > > conntrack. > > I beg you pardon: why conntrack should be relaxed, when it is expected > to do more strict TCP checkings (RFC5961, Section 5.). There is no mention of SACK in this RFC. The duplicate ACKs with invalid SACK-blocks are valid with respect to RFC5961, Section 5. Actually, no RFC says that dup-ACKs with invalid SACK-blocks should be discarded. Cheers, Christoph -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists