TCP window tracking has bad side effects

Jozsef Kadlecsik kadlec at
Wed Dec 1 13:16:31 CET 2004


On Wed, 1 Dec 2004, Ludwig Nussel wrote:

> Recent state matching code apparently added some kind of TCP window
> tracking which marks out of sequence packets as INVALID.
> Previously one could use some minimal filter rules like this on a
> client machine:
> iptables -F
> iptables -X
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -j ACCEPT -i lo
> iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
> With TCP window tracking those rules no longer work for services
> that use fixed ports (e.g. NFS) and one side crashes or terminates
> the connection in other ways without notifying the peer (e.g. link
> down). When the crashed machine comes up again and tries to
> reestablish the connection it sends a SYN. The remote end finds that
> confusing and replies with an ACK as probe. Since that ACK does not
> fit any window it's discarded as INVALID.

The remote end must send an ACK segment which is in the window (see
RFC793, p68), thus the window tracking code could let it through.

> The remote side can now
> sit there forever sending ACKs and no new connection can be
> established. Previously, without window tracking, the ACK was
> accepted and answered with RST, the remote closed the connection and
> a new one could be established.
> Is there a way to disable the window tracking and revert to the old
> behavior?

Yes, you can disable it anytime:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

But a full tcpdump from such a session and the log entries on the
invalid packets would be useful for us to recheck the code.

Best regards,
E-mail  : kadlec at, kadlec at
PGP key :
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter-devel mailing list