On Fri, Mar 12, 2010 at 10:25:28PM +0100, Guillaume Castagnino wrote: > Le Vendredi 12 Mars 2010 22:21:49, Willy Tarreau a écrit : > > On Fri, Mar 12, 2010 at 09:55:07PM +0100, Willy Tarreau wrote: > > > I've just looked at your traces. It's strange that it's related to the > > > blackhole feature because the doc says it just disables sending of > > > port unreachables (and possibly RSTs). From your traces, an RST is > > > properly sent in response to the "250", but the server happily > > > ignores despite the fact that its sequence number is OK, and it > > > keeps resending the same data over and over. And as your trace > > > shows that you sniffed on the server, there's no risk that the > > > RST was dropped on the network. > > > > After a bit of thinking, while it is wrong from the server to have > > ignored the RST in the first place, it's wrong for the client not > > to resend it on subsequent packets, and this is what is caused by > > the BLACKHOLE patch. I've checked the patch, and I see what is > > wrong in it : it prevents sending of RST packets in any case, > > while it should only be prevented in response to a SYN. I have one > > similar patch in my own 2.4 tree which does not exhibit the issue, > > so I'll contact Brad with that. > > > Here is the last patch Brad provided me against the last grsec (if you want > to > check this one) : http://www.grsecurity.net/~spender/blackhole3.diff > > But despites this, I always get the same problem.
yes, i'm not surprized, because when the ACK comes from the server, the socket does not exist anymore on your side. If he has time to do as in the 2.4 patch in my tree, that will be fine, otherwise I may take a look at it after next week. Regards, Willy
