IPFW SACK options

Chuck Swiger cswiger at mac.com
Wed Mar 7 23:00:40 UTC 2007 

On Mar 7, 2007, at 2:35 PM, Justin Robertson wrote:
>> The issue here is that no windows PC is compliant, and continues  
>> to try and send SYN SACK packets until giving up entirely on the  
>> connection - I've already tried this. I can't tell you why the bsd  
>> stack doesn't have an issue with bare SYNs, but does on SYNs with  
>> SACK set in the tcpoptions, but it apparently does.
>>
> Example - windows PC trying to connect to POP mailserver, sacks  
> blocked (being viewed from firewall)
>
> 14:31:54.632444 client.52985 > server.110: S [tcp sum ok]  
> 3734795545:3734795545(0) win 8192 <mss 1460,nop,wscale  
> 8,nop,nop,sackOK> (DF) (ttl 115, id 12030, len 52)
> 14:31:57.629151 client.52985 > server.110: S [tcp sum ok]  
> 3734795545:3734795545(0) win 8192 <mss 1460,nop,wscale  
> 8,nop,nop,sackOK> (DF) (ttl 115, id 12034, len 52)
> 14:32:03.635511 client.52985 > server.110: S [tcp sum ok]  
> 3734795545:3734795545(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)  
> (ttl 115, id 12046, len 48)
>
> You get three sack attempted retransmissions, then failure. It's  
> not sending selective acks, it's trying to establish that selective  
> acks are allowed for the rest of the communication between client/ 
> server.

Which flavor of Windows was the sender?

I seem to recall that Win2000/XP/2003 was willing to resend the SYN  
without enabling the SACK option after a few retries, but it's been a  
while since I've done that sort of testing...

> I just want to strip the sack options from the packet and pass it  
> on. The "issue" is that BSD can't cope with a flood of syn/sack  
> permitted packets. All IP lags, and on 6.x stops all-together.

Is the machine you're testing against the destination of this  
traffic, or are you wanting to change this on a firewall box which  
lies between the sender and destination?

If the latter, I would agree that you'd need to hack the firewall  
code.  But if the former, take a look into /usr/src/sys/netinet/ 
tcp_input.c for the tcp_dooptions() function, and try to #ifdef out  
the cases for TCPOPT_SACK_PERMITTED & TCPOPT_SACK?

-- 
-Chuck

More information about the freebsd-ipfw mailing list