Per site de-window-scaling
Harald Welte
laforge at netfilter.org
Thu Sep 2 23:09:52 CEST 2004
On Thu, Sep 02, 2004 at 12:01:44PM -0700, Stephen Hemminger wrote:
> Is there a simple way with netfilter to do per-site TCP SYN mangling
> to remove the window scale option? That way sites that have window-scale
> corrupting firewalls could be blacklisted.
Yes, this is possible with a quite simple piece of code similar to what
I did with the 'ECN' target for known ECN blackholes.
All you do is to iterate over the tcp options and NOP out the window
scaling options.
Please don't copy any of the mistakes we did before, like the option
parsing signedness bug, or overwriting with '0' (end of options) instead
of NOP ;)
--
- Harald Welte <laforge at netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20040902/8b706363/attachment.bin
More information about the netfilter-devel
mailing list