Some checkpoint firewalls have caused stalls on SACK enabled clients. I
don't recall the exact configuration or method of action, but it does
happen. I suspect that it didn't kill the SackOK but only the actual SACKs
Breaking end-to-end is the path to maddness. Trusting practically any
network that leaves a room is insane.
Firewalling should be implemented on the hosts, perhaps with centralized
policy management. In such a situation, there would be no reason to filter
on funny IP options.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
Please read the FAQ at http://www.tux.org/lkml/