none
FWPS_STREAM_ACTION_DEFER causes invalid ACKs and connection tear down RRS feed

  • Question

  • Hi,

    I have troubles with limiting the incoming speed with FWPS_STREAM_ACTION_DEFER.

    I am doing out of band stream inspection, returning FWP_ACTION_BLOCK from a classify routine (on FWPS_LAYER_STREAM_V4) and later injecting the cloned data from a different thread. When the processing queue is too large, I set the streamAction member in the IoPacket to FWPS_STREAM_ACTION_DEFER and return FWP_ACTION_NONE.

    When the queue is empty, I call FwpsStreamContinue0 from a WorkItem routine.

    Shortly after the stream is resumed the connection is corrupted and reset by remote host. In wireshark I can always see similar pattern to this (TCP ACKed unseen segment)

    24.497564000      80       49291     Continuation or non-HTTP traffic                               
    24.497734000      80       49291     Continuation or non-HTTP traffic                               
    24.514432000      49291    80        [TCP Window Update] 49291 > http [ACK] Seq=114 Ack=523985469 Win=1294848 Len=0
    24.791462000      80       49291     [TCP Retransmission] Continuation or non-HTTP traffic
    24.791648000      49291    80        [TCP Dup ACK 376088#1] 49291 > http [ACK] Seq=114 Ack=523985469 Win=1294848 Len=0 SLE=523985469 SRE=523986929 
    25.391490000      80       49291     [TCP Retransmission] Continuation or non-HTTP traffic 
    25.391668000      49291    80        [TCP Dup ACK 376088#2] 49291 > http [ACK] Seq=114 Ack=523985469 Win=1294848 Len=0 SLE=523985469 SRE=523986929
    26.591529000      80       49291     [TCP Retransmission] Continuation or non-HTTP traffic 
    26.591714000      49291    80        [TCP Dup ACK 376088#3] 49291 > http [ACK] Seq=114 Ack=523985469 Win=1294848 Len=0 SLE=523985469 SRE=523986929 
    28.991598000      80       49291     [TCP Retransmission] Continuation or non-HTTP traffic  
    29.017141000      49291    80        [TCP ACKed unseen segment] 49291 > http [ACK] Seq=114 Ack=524265133 Win=1294848 Len=0 SLE=523985469 SRE=523986929 
    33.791770000      80       49291     [TCP Retransmission] Continuation or non-HTTP traffic  
    33.791985000      49291    80        [TCP Dup ACK 376096#1] [TCP ACKed unseen segment] 49291 > http [ACK] Seq=114 Ack=524265133 Win=1294848 Len=0 SLE=523985469 SRE=523986929  

     

    This does not happen in 100% of times, sometimes I am able to successfully suspend/resume the stream several times, until it is corrupted in this way. The same behavior can be reproduced with stmEdit sample.

    Could you guys please suggest if there are any limitations on when it is safe to call FwpsStreamContinue0( )?

    Happens on Windows 7,8,8.1.

    Thanks a lot,

    Lukas Rypacek.

     

    Friday, August 16, 2013 9:13 PM

Answers

All replies