On Tue, Jun 21, 2016 at 05:12:39PM +0200, Mike Belopuhov wrote: > Right, I've found it, but how can you tell that this is a new > connection if iss changes a lot and you just test if it's greater > than? The actual test should be if it's ouside of the window, > isn't it?
That is very traditional TCP behavior. The initial sequence number for outgoing connections does not change a lot, but only increases. So if the socket is in TIME_WAIT and a new packets arrives that has a smaller sequence number than the PCB, it belongs to the old connection and should be dropped. If the sequence number is higher, it must be a new connection and the PCB should be reused. Before the initial sequence number counter wraps around, the TIME_WAIT timeout has removed the PCB. Look into tcp_set_iss_tsm() where we mix randomness with increasing steps to make this algorithm work. > > So my diff fixes it because now pf state key attach and tcp reuse > > are confused in the same way. > > Rather a bit sloppy, but yeah. Although the TCP reuse algorithm is not responsible for my NAT problem, I still think just reusing state keys like pf does is wrong. It also has to consider the sequence number to drop old SYN packets that got delayed by the network. But I will start fixing pf_get_sport() first. bluhm
