[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Sep 20 00:33:22 CEST 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511





------- Additional Comments From georgeh at anstat.com.au  2006-09-20 00:33 MET -------
Signed-off-by: George Hansper

For the record, there are 2 work-arounds for this bug:
1/. Don't use connection tracking, use a "stateless" packet-filter rule instead
    eg on the tomcat-server
       iptables -A INPUT  -p tcp -s apache-server --dport 8009 -j ACCEPT
       iptables -A OUTPUT -p tcp -d apache-server --sport 8009 ! --syn -j ACCEPT

 -- or --- (nicer)
2/. tweak the setting:
       echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans


-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



More information about the netfilter-buglog mailing list