Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE for in-window RSTs
From: Florian Westphal
Date: Sat Jul 06 2024 - 13:05:08 EST
Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> I fully agree with Florian: conntrack plays the role of a middle box and
> cannot absolutely know the right seq/ack numbers of the client/server
> sides. Add NAT on top of that and there are a couple of ways to attack a
> given traffic. I don't see a way by which the checkings/parameters could
> be tightened without blocking real traffic.
I forgot about TCP timestamps, which we do not track at the moment.
But then there is a slight caveat: if one side exits, RST won't
carry timestamp option, so even keeping track of timestamps will help
:-(