From owner-freebsd-net@FreeBSD.ORG Mon Jan 3 10:54:30 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD92F16A4CE for ; Mon, 3 Jan 2005 10:54:30 +0000 (GMT) Received: from outbound0.sv.meer.net (outbound0.sv.meer.net [205.217.152.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88E7B43D49 for ; Mon, 3 Jan 2005 10:54:30 +0000 (GMT) (envelope-from gnn@neville-neil.com) Received: from mail.meer.net (mail.meer.net [209.157.152.14]) j03AsTwN022946; Mon, 3 Jan 2005 02:54:30 -0800 (PST) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (pc1.oakwoodazabu1-unet.ocn.ne.jp [220.110.140.201]) by mail.meer.net (8.12.10/8.12.10/meer) with ESMTP id j03AsQIa088642; Mon, 3 Jan 2005 02:54:27 -0800 (PST) (envelope-from gnn@neville-neil.com) Date: Mon, 03 Jan 2005 19:54:21 +0900 Message-ID: From: gnn@FreeBSD.org To: Mike Silbersack In-Reply-To: <20050103012325.A62262@odysseus.silby.com> References: <20050103012325.A62262@odysseus.silby.com> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.2 (powerpc-apple-darwin) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII cc: net@FreeBSD.org Subject: Re: Fixing "Slipping in the window" before 4.11-release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 10:54:30 -0000 At Mon, 3 Jan 2005 01:31:29 -0600 (CST), Mike Silbersack wrote: > For the life of me, I can't figure out why SYN packets (other than delayed > retransmissions of the original SYN) would ever show up once a connection > is in the ESTABLISHED state. They "shouldn't" and I think ignoring them makes sense, but that's just me. I gather you did a search of Stevens to see if there had ever been a justification for dealing with SYN once established? The only thing I could think of was to go look again at how half open connections are handled. I have not taken a look at that, but it sticks in my mind as the only thing that could cause an issue. > So, I'm proposing the attached patch, which simply ignores any > packet with the SYN flag on it while a connection is in the > ESTABLISHED state. That sounds fine to me. > What are people's thoughts on this? I'm especially interested how > stateful firewalls like IPF or PF would handle such a situation. How do > they respond to unexpected SYN packets? Well, those I cannot comment on. > diff -u -r /usr/src/sys.old/netinet/tcp_input.c > /usr/src/sys/netinet/tcp_input.c One quick comment on the patch. Do we want to count these kinds of drops separately? Later, George