Re: [PATCH] Make netfilter handle SACK in NAT'ed connections (was Re: Fw: oops/bug in tcp, SACK doesn't work?)

[kuznet@xxxxxxxxxxxxx]

Hello!

> this partial retransmission is dropped, assuming that the next retransmission
> will be a retransmission of the whole packet, as we have seen it before.

The assumption can be wrong. This happens with linux. Even if
tcp_retrans_collapse is on, collapcing may have obstacles not allowing
to collapse.


> a lot of cases (i.e. PORT command split over two seperate packets)

What is difficult in this case? I simply do not understand this...
If you have a defined transofrm, there is no problems in partial rewrites.

> your kernel.  transparent proxies are better if you want to be perfect in
> this.

No ack. If it were a real fault of approach, it would be true.
But as soon as it is explained only by lazyness of author... no ack.

It is simply unpleasant. When seeing report of Cisco director blocking
some valid data, we refer to Cisco. But when our own code does the same
shit, it is _double_ shame.

Alexey