On 04/14/09 03:10 PM, Jens Elkner wrote:
On Tue, Apr 14, 2009 at 05:09:01PM -0400, Oscar del Rio wrote:
on a couple of systems running nv109 and nv110, with ipfilter enabled,
occasionally we get OOW and NEG_OOW errors.
ipf rule (a web server):
pass in quick proto tcp from any to any port = 80 keep state keep frags
An SUN case engineer told me, that on should always add 'flags S' when using
'keep state' too get not into trouble. Why: unknown ...
Because TCP window scaling options are only in the SYN/SYN-ACK
packets and they affect what each end system considers to be "in window".
If you create TCP state with IPFilter in mid-stream, it will be without
that knowledge and hence unable to correctly mimic the end nodes
idea of what the window really is.
Thus IPFilter will think things are "out of winodw" (OOW) when they
really aren't...
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
