On Thu, Apr 20, 2017 at 2:45 PM, Wei Wang <wei...@google.com> wrote:
> From: Wei Wang <wei...@google.com>
>
> Christoph Paasch from Apple found another firewall issue for TFO:
> After successful 3WHS using TFO, server and client starts to exchange
> data. Afterwards, a 10s idle time occurs on this connection. After that,
> firewall starts to drop every packet on this connection.
>
> The fix for this issue is to extend existing firewall blackhole detection
> logic in tcp_write_timeout() by removing the mss check.
>
> Signed-off-by: Wei Wang <wei...@google.com>
Acked-by: Yuchung Cheng <ych...@google.com>
> ---
> net/ipv4/tcp_timer.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
> index b2ab411c6d37..14672543cf0b 100644
> --- a/net/ipv4/tcp_timer.c
> +++ b/net/ipv4/tcp_timer.c
> @@ -201,11 +201,10 @@ static int tcp_write_timeout(struct sock *sk)
> if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1,
> 0, 0)) {
> /* Some middle-boxes may black-hole Fast Open _after_
> * the handshake. Therefore we conservatively disable
> - * Fast Open on this path on recurring timeouts with
> - * few or zero bytes acked after Fast Open.
> + * Fast Open on this path on recurring timeouts after
> + * successful Fast Open.
> */
> - if (tp->syn_data_acked &&
> - tp->bytes_acked <= tp->rx_opt.mss_clamp) {
> + if (tp->syn_data_acked) {
> tcp_fastopen_cache_set(sk, 0, NULL, true, 0);
> if (icsk->icsk_retransmits ==
> net->ipv4.sysctl_tcp_retries1)
> NET_INC_STATS(sock_net(sk),
> --
> 2.12.2.816.g2cccc81164-goog
>
