[Bug 443] 2.6 kernel failing in NAT with significant outbound traffic

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Apr 10 12:06:33 CEST 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443





------- Additional Comments From kadlec at netfilter.org  2006-04-10 12:06 MET -------
The packet in question is

17:16:20.626142 IP 80.140.102.163.21189 > 172.30.38.33.39199: . ack 1295128653
win 62928 <nop,nop,timestamp 447335664 3846125602,nop,nop,
sack sack 1 {2061947064:2061948432}>

There must be a gear between the client and the server which munges the TCP
sequence numbers: it processes the ACK fields but fails to do so in the SACK
option field.

Check it by disabling ip_conntrack_tcp_be_liberal on the firewall
and disabling SACK on the server.

[Actually, you are in a SACK hole: it is better if you disable SACK on all 
of your machines as it is non-functional.]

We should correct the message produced by netfilter in order to make easier
to spot such problems:

ip_ct_tcp: (S)ACK is over the upper bound


-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



More information about the netfilter-buglog mailing list