|
Hello,
It's getting a bit off-topic here, so feel free to move this thread along to
the netfilter list (we both seem to be reading it ;-), but what exactly does
the window tracking patch address?
It does address the problems listed in [1]. I've done more on the packetfilter
code for the OpenBSD kernel as in the netfilter one so far but recently our
company decided to give netfilter another take. It's still pretty premature but
with this patch it gets pretty close to what we need. An once the stateful
issues are addressed and in the vanilla kernel we can then get back to a
plethora of nice add-ons. Some of the things I would like to see are:
o (advertisment) window size tracking
o ISN and sequence number checking
o support for T/TCP and IPv5 (SCTP)
o complete TCP state transition implementation just like with LVS
o bring in the damn nfnetlink to get full control over netfilter ;)
Since you call it a 'patch' I take it it's not in the vanilla kernels from
kernel.org, so chances that we're running it are very slim. I wonder if we
want to patch the kernel now or not...
That's what I'm currently investigating. There seem to be a few problems and
issues with in-kernel timers and the TCP state transition table is somewhat not
in accordance with the RFC at first sight. But I need further testing to make
sure we can base part of our product line on netfilter. Don't expect anything or
any results before X-mas. The patch can be found here [2] or simply get the
latest pom and poke into the ../extra directory.
[1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
[2]
http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/patch-o-matic/extra/tcp-window-tracking.patch?rev=1.5&content-type=text/x-cvsweb-markup
Best regards,
Roberto Nibali, ratz
PS.: For once I don't consider this off-topic :).
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
