Date: Mon, 03 Jan 2005 19:54:21 +0900 From: gnn@FreeBSD.org To: Mike Silbersack <silby@silby.com> Cc: net@FreeBSD.org Subject: Re: Fixing "Slipping in the window" before 4.11-release Message-ID: <m2y8favl42.wl@minion.local.neville-neil.com> In-Reply-To: <20050103012325.A62262@odysseus.silby.com> References: <20050103012325.A62262@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At Mon, 3 Jan 2005 01:31:29 -0600 (CST), Mike Silbersack wrote: > For the life of me, I can't figure out why SYN packets (other than delayed > retransmissions of the original SYN) would ever show up once a connection > is in the ESTABLISHED state. They "shouldn't" and I think ignoring them makes sense, but that's just me. I gather you did a search of Stevens to see if there had ever been a justification for dealing with SYN once established? The only thing I could think of was to go look again at how half open connections are handled. I have not taken a look at that, but it sticks in my mind as the only thing that could cause an issue. > So, I'm proposing the attached patch, which simply ignores any > packet with the SYN flag on it while a connection is in the > ESTABLISHED state. That sounds fine to me. > What are people's thoughts on this? I'm especially interested how > stateful firewalls like IPF or PF would handle such a situation. How do > they respond to unexpected SYN packets? Well, those I cannot comment on. > diff -u -r /usr/src/sys.old/netinet/tcp_input.c > /usr/src/sys/netinet/tcp_input.c One quick comment on the patch. Do we want to count these kinds of drops separately? Later, George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2y8favl42.wl>