From: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>
To: "neal.p.murphy@alum.wpi.edu" <neal.p.murphy@alum.wpi.edu>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: AW: Why SYN-ACK packets are dropped as INVALID?
Date: Thu, 26 Mar 2015 13:25:00 +0000 [thread overview]
Message-ID: <CBA35483CE5B4D4B804BF128A77A61651B66E6AF@HIKAWSEXMB02.ad.harman.com> (raw)
In-Reply-To: <201503260853.07382.neal.p.murphy@alum.wpi.edu>
Hi Neal,
Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes).
Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)?
Thank you,
Aleksej.
-----Ursprüngliche Nachricht-----
Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy
Gesendet: Donnerstag, 26. März 2015 13:53
An: netfilter@vger.kernel.org
Betreff: Re: Why SYN-ACK packets are dropped as INVALID?
On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
>
> I’m sending TCP SYN packets to the server. The problem is that the
> SYN-ACK packets coming from the server in response are sometimes
> dropped by my firewall (iptables) as INVALID. I can’t figure out why
> the firewall sees these packets invalid. They seem to be Ok. What
> parameters are taken into account by the firewall when making a
> decision about invalidity of a packet?
>
> Example from tcpdump:
>
> 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200
> SACK_PERM=1
>
> The ACK sequence number (Ack=2646194937) is OK, but I see in my
> iptables logs that this SYN-ACK packet is marked as INVALID and
> dropped. When the SYN-ACK packet comes the TCP session is in the state
> SYN_SENT -> So, the states are also OK. Why is this packet invalid then?
Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-03-26 13:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-26 8:41 Why SYN-ACK packets are dropped as INVALID? Spenst, Aleksej
2015-03-26 12:53 ` Neal Murphy
2015-03-26 13:25 ` Spenst, Aleksej [this message]
2015-03-26 13:27 ` Joel Gerber
2015-03-26 16:14 ` AW: " Spenst, Aleksej
2015-03-26 19:09 ` Joel Gerber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CBA35483CE5B4D4B804BF128A77A61651B66E6AF@HIKAWSEXMB02.ad.harman.com \
--to=aleksej.spenst@harman.com \
--cc=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.