April 8, 2025 at 22:18, "Eric Dumazet" <edumazet@xxxxxxxxxx> wrote: > > On Mon, Apr 7, 2025 at 4:00 PM Jiayuan Chen <jiayuan.chen@xxxxxxxxx> wrote: > > > > > When TCP is in TIME_WAIT state, PAWS verification uses > > LINUX_PAWSESTABREJECTED, which is ambiguous and cannot be distinguished > > from other PAWS verification processes. > > Moreover, when PAWS occurs in TIME_WAIT, we typically need to pay special > > attention to upstream network devices, so we added a new counter, like the > > existing PAWS_OLD_ACK one. > > > > I really dislike the repetition of "upstream network devices". > Is it mentioned in some RFC ? I used this term to refer to devices that are located in the path of the TCP connection, such as firewalls, NATs, or routers, which can perform SNAT or DNAT and these network devices use addresses from their own limited address pools to masquerade the source address during forwarding, this can cause PAWS verification to fail more easily. You are right that this term is not mentioned in RFC but it's commonly used in IT infrastructure contexts. Sorry to have caused misunderstandings. Thanks. > > > > Also we update the doc with previously missing PAWS_OLD_ACK. > > usage: > > > > ''' > > nstat -az | grep PAWSTimewait > > TcpExtPAWSTimewait 1 0.0 > > ''' > > > > Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx> > > Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx> > > > > Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx> >
