Problem accessing https://my.procurve.com/profile/index.aspx (ACK is over the upper bound)

Krzysztof Oledzki ole at ans.pl
Sun Jul 1 03:04:26 CEST 2007



On Sun, 1 Jul 2007, Krzysztof Oledzki wrote:

> Hello,
>
> My colleague have just reported that he is unable to access "REGISTER HERE" 
> page from the https://my.procurve.com/profile/index.aspx. Short debuging 
> shows that his connection was dropped by the netfilter code running on fw/nat 
> host:
<CUT>
> AFAIK netfilter is supposed to drop such packet (without sending a RST), 
> isn't it? So why the RST packet was sent?

OK, this was easy. The RST was sent simply because the packed was not 
dropped but instead delivered to the local IP - there was no 
valid tuple to change (unnat) the packed destination. Setting:

iptables -I PREROUTING -m conntrack --ctstate INVALID -j DROP

make no more RSTs, only retransmisions from the 216.34.143.7. And yes, I 
have a patched kernel so I'm able to filter packets in a PREROUTING 
chain.

The rest of the question remains:

> Setting net.ipv4.netfilter.ip_conntrack_tcp_be_liberal solves the problem, 
> but this is not a right fix and now the main question is: was this ACK really 
> over the upper bound since when 
> net.ipv4.netfilter.ip_conntrack_tcp_be_liberal is enabled it is possible to 
> access this page (of course with many netfilter warnings that "ACK is over 
> the upper bound").
>
> root at fw1:~# uname -r
> 2.6.20.11


Best regards,

 				Krzysztof Olędzki


More information about the netfilter-devel mailing list