At Mon, 3 Jan 2005 01:31:29 -0600 (CST), Mike Silbersack wrote: > For the life of me, I can't figure out why SYN packets (other than delayed > retransmissions of the original SYN) would ever show up once a connection > is in the ESTABLISHED state.
They "shouldn't" and I think ignoring them makes sense, but that's just me. I gather you did a search of Stevens to see if there had ever been a justification for dealing with SYN once established? The only thing I could think of was to go look again at how half open connections are handled. I have not taken a look at that, but it sticks in my mind as the only thing that could cause an issue. > So, I'm proposing the attached patch, which simply ignores any > packet with the SYN flag on it while a connection is in the > ESTABLISHED state. That sounds fine to me. > What are people's thoughts on this? I'm especially interested how > stateful firewalls like IPF or PF would handle such a situation. How do > they respond to unexpected SYN packets? Well, those I cannot comment on. > diff -u -r /usr/src/sys.old/netinet/tcp_input.c > /usr/src/sys/netinet/tcp_input.c One quick comment on the patch. Do we want to count these kinds of drops separately? Later, George _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
