On Sun, Jul 29, 2001 at 08:53:36PM +0400, Alexey Kuznetsov wrote:
> Hello!
>
> > Please note that the netfilter nat protocol helpers for ftp (and irc as
> > well as
> > other protocols in patch-o-matic) delete the SACKPERM option on-the-fly
> > from all packets.
>
> Then Marty would not see any sacks at all.
>
>
> > It has to, as you run in neverending complications as soon as the nat helper
> > has to alter the tcp sequence numbers, etc.
>
> It is not a valid justification. It is difficult to rewrite sequence numbers.
> As soon as nat does this, rewriting sacks is easy. Even not easy, trivial.
not really.
The issue is, that we only keep track of the last time a tcp sequence number
was rewritten. Yes, that means that current netfilter NAT code does not
cope correctly with all cases where you have more than one packet size
alteration per window.
So I'm not sure if enabling selective acknowledgements could make the
situation worse than it is (given this precondition). At least after
giving it some though, I cannot see how.
I have written some improved conntrack/nat code (called multirel/newnat),
which is currently in testing. This improved code will remember all
packet size alterations and the exact tcp sequence number at which each of
them occurred.
> Sad and not expected behaviour. I used to ridicule commercial firewall
> vendors, sometimes doing shit of this kind without any clear reasons. :-)
Ok, I am willing to extend netfilter conntrack/nat in order to deal with
SACK. It is really not about being too lazy to do it.
> Alexey
--
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
|