Fixing "Slipping in the window" before 4.11-release
gnn at FreeBSD.org
gnn at FreeBSD.org
Mon Jan 3 10:54:30 GMT 2005
At Mon, 3 Jan 2005 01:31:29 -0600 (CST),
Mike Silbersack wrote:
> For the life of me, I can't figure out why SYN packets (other than delayed
> retransmissions of the original SYN) would ever show up once a connection
> is in the ESTABLISHED state.
They "shouldn't" and I think ignoring them makes sense, but that's
just me. I gather you did a search of Stevens to see if there had
ever been a justification for dealing with SYN once established? The
only thing I could think of was to go look again at how half open
connections are handled. I have not taken a look at that, but it
sticks in my mind as the only thing that could cause an issue.
> So, I'm proposing the attached patch, which simply ignores any
> packet with the SYN flag on it while a connection is in the
> ESTABLISHED state.
That sounds fine to me.
> What are people's thoughts on this? I'm especially interested how
> stateful firewalls like IPF or PF would handle such a situation. How do
> they respond to unexpected SYN packets?
Well, those I cannot comment on.
> diff -u -r /usr/src/sys.old/netinet/tcp_input.c
> /usr/src/sys/netinet/tcp_input.c
One quick comment on the patch. Do we want to count these kinds of
drops separately?
Later,
George
More information about the freebsd-net
mailing list