Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE for in-window RSTs

From: Florian Westphal
Date: Sat Jul 06 2024 - 13:05:08 EST

Next message: pr-tracker-bot: "Re: [PULL REQUEST] i2c-for-6.10-rc7"
Previous message: Guenter Roeck: "Re: [PATCH v6 1/2] dt-bindings: hwmon: Add Sophgo SG2042 external hardware monitor support"
In reply to: Jozsef Kadlecsik: "Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE for in-window RSTs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> I fully agree with Florian: conntrack plays the role of a middle box and
> cannot absolutely know the right seq/ack numbers of the client/server
> sides. Add NAT on top of that and there are a couple of ways to attack a
> given traffic. I don't see a way by which the checkings/parameters could
> be tightened without blocking real traffic.

I forgot about TCP timestamps, which we do not track at the moment.

But then there is a slight caveat: if one side exits, RST won't
carry timestamp option, so even keeping track of timestamps will help
:-(

Next message: pr-tracker-bot: "Re: [PULL REQUEST] i2c-for-6.10-rc7"
Previous message: Guenter Roeck: "Re: [PATCH v6 1/2] dt-bindings: hwmon: Add Sophgo SG2042 external hardware monitor support"
In reply to: Jozsef Kadlecsik: "Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE for in-window RSTs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]