From owner-freebsd-current@FreeBSD.ORG Wed Jul 25 08:31:45 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAD6416A419; Wed, 25 Jul 2007 08:31:45 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id B9E1413C481; Wed, 25 Jul 2007 08:31:45 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 591D649688; Wed, 25 Jul 2007 04:31:45 -0400 (EDT) Date: Wed, 25 Jul 2007 09:31:45 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Mike Silbersack In-Reply-To: <20070725003706.U79872@odysseus.silby.com> Message-ID: <20070725093019.E83919@fledge.watson.org> References: <20070709234401.S29353@odysseus.silby.com> <20070710132253.GJ1038@void.codelabs.ru> <20070710202028.I34890@odysseus.silby.com> <200707201155.44573.peter@wemm.org> <20070725003706.U79872@odysseus.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Andre Oppermann , current@freebsd.org, Peter Wemm , freebsd-current@freebsd.org, net@freebsd.org Subject: Re: FreeBSD 7 TCP syncache fix: request for testers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 08:31:46 -0000 On Wed, 25 Jul 2007, Mike Silbersack wrote: > On Fri, 20 Jul 2007, Peter Wemm wrote: > >> TCP: [127.0.0.1]:52446 to [127.0.0.1]:1128 tcpflags 0x10; >> syncache_expand: Segment failed SYNCOOKIE authentication, segment >> rejected (probably spoofed) >> [...] >> >> How on earth can localhost be spoofing itself? This is getting quite >> absurd. :-( > > Any extra ACK that arrives is probably being processed by the syncookie code > is my guess. So, I think that the problem is probably anywhere except in > the syncookie code. > >> I'll give your patch a shot and see if it improves things at all. > > It won't, not for this case. :( > > But I'll get it committed ASAP, because it fixes other cases. Unless, that > is, things IRL keep interrupting me. FYI, I received an informal report a few days ago that the SYN cache was ignoring RSTs, and kept transmitting SYN/ACK's even though a RST had been sent. This was during some local network testing where a host sends SYN packets out to a large number of other hosts, then quickly resets the connections after getting SYN/ACK's. Given that your previous work suggests that the syncache timer never fires at all, I'm not quite sure what to make of this report, but once your patches are in I can ask them to rerun it on one of my hosts and see. Robert N M Watson Computer Laboratory University of Cambridge