|
Hello,
On Thu, 16 Mar 2000, Ratz wrote:
> > I see another problem. The OUTPUT state table looks very
> > wrong for me. The SR state checking looks incorrect in the context
> > of VS/NAT mode. If the SYN packet is forwarded from the Director
> > to the Real server, the Real server answers immediately with SYN
> > cookie and the state is changed to ES. So, under SYN flood with
> > SYN-cookies enabled we have ES states and not the SYN states.
> > May be the state table is wrong but it is not patched from the LVS.
> > Is the OUTPUT table correct? The change:
> >
> > OUTPUT SYN
> > SR -> ES
> >
> > When the SYN-cookie (SYN+ACK) is sent we switch to ES
> > which is for very short interval after the initial SYN. And
> > ip_vs_random_drop_syn() can't find many entries.
>
> how can this be? where is the ACK? what if the syn-cookie's dest is not
> reachable (spoofed ip)? That's why we send a FIN to the sourceIP before
> sending a SYN/ACK when using cookies, so, if the sourceIP is not fake,
> it'll reply with FIN/ACK and the correct sequence number and the server
> can continue with a SYN/ACK to the sourceIP which will then reply with
> an ACK. Please correct me if I'm wrong, because your TCP/IP knowledge
> seems to be far beyond mine :)
As I understand there is no FIN involved in the SYN cookie mechanism.
But switching from SR to ES is wrong.
Regards
--
Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>
|
