[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Sat Jul 15 18:38:39 CEST 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464
------- Additional Comments From netfilter at linuxace.com 2006-07-15 18:38 MET -------
Jurgen: you are behind a box which doesn't understand the SACK option. From
your trace:
02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P
237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196
2027250>
02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994
win 32406 <nop,nop,timestamp 2027266 229941849>
02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434
win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1
{1715655389:1715656829}> <----------- SACK sequence numbers not adjusted
Whatever device you are behind (upstream) isn't adjusting the SACK sequence
numbers approrpriately. Unless you control that upstream device, you have only
two options:
- disable TCP window tracking in conntrack in the firewall:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
- disable SACK support on all of your machines behind the firewall:
echo 0 > /proc/sys/net/ipv4/tcp_sack
Joerg: awaiting example from a non-braindead site.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
More information about the netfilter-buglog
mailing list