LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

TCP window scaling and broken routers

TCP window scaling and broken routers

Posted Jul 21, 2004 18:31 UTC (Wed) by schabi (subscriber, #14079)
In reply to: TCP window scaling and broken routers by dlang
Parent article: TCP window scaling and broken routers

"this case the nasty firewalls zero out the bits in the unknown option and people are complaining"

It's different. With ECN, the router had two different, valid options: Leave the bits in the flag word as they are, or clear them and thus deleting the option. ECN was designed carefully enough that both ways worked. Blocking or dropping the packed is no option.

The Window scaling is not bits in the flag word, but an separately added option field. There, the firewall has two valid options: let the packet pass as it is, or remove the window scaling option field entirely. Communication continues to work with both options. Fiddling around inside the header field and wildly mangling the values is no option.

(Log in to post comments)

TCP window scaling and broken routers

Posted Dec 1, 2005 23:06 UTC (Thu) by walken (subscriber, #7089) [Link]

That sounds like a good idea, but - is there any way to get iptables to do what you describe ? From my own little netfilter experience, I know how to pass, drop or reject packets, but not how to filter bits (well, I think there is an option to do that with ECN, but what about OTHER must-be-zero bits) or how to drop arbitrary unknown tcp options.

Sounds a bit hypocritical for linux developers to complain about firewalls in the field if their own firewalling functionality does not allow this either.

But then again I'm not a netfilter expert so I could be mistaken.

TCP window scaling and broken routers

Posted Feb 7, 2008 21:12 UTC (Thu) by shemminger (subscriber, #5739) [Link] 

The problem is firewall's that want to enforce window sizes but are too stupid and try to do
this without tracking the state of window scaling of the connection.

I will pick out OpenBSD as particularly broken in that regard, and they haven't fixed it.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds