ip_conntrack_tcp_be_liberal vs. large downloads?
Harald Welte
laforge at netfilter.org
Thu Sep 22 14:35:43 CEST 2005
On Tue, Sep 20, 2005 at 11:46:41AM +0200, Matthias Andree wrote:
> On Tue, 20 Sep 2005, Jozsef Kadlecsik wrote:
>
> > > I can also test newer kernels if needed - only if there'd been some bug,
> > > I might have assumed that SUSE rolled a patch into one of their update
> > > kernels.
> >
> > Please try newer kernels - I smell SACKing lost packets and ACKing out of
> > window segments here, which is fixed (i.e. supported) in recent kernels.
>
> Maybe, although turning SACK of didn't help (of course if the other side
> is doing it, my turning it off cannot help :)
if you prevent SACKPERM tcp option to be set up in any direction (e.g.
by replacing it with noop options), then you could reliably turn it off.
Maybe it's time for an iptables TCPOPTSSTRIP target ;)
--
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20050922/b16815c9/attachment.bin
More information about the netfilter-devel
mailing list