Problem accessing https://my.procurve.com/profile/index.aspx
(ACK is over the upper bound)
Krzysztof Oledzki
ole at ans.pl
Sun Jul 1 03:04:26 CEST 2007
On Sun, 1 Jul 2007, Krzysztof Oledzki wrote:
> Hello,
>
> My colleague have just reported that he is unable to access "REGISTER HERE"
> page from the https://my.procurve.com/profile/index.aspx. Short debuging
> shows that his connection was dropped by the netfilter code running on fw/nat
> host:
<CUT>
> AFAIK netfilter is supposed to drop such packet (without sending a RST),
> isn't it? So why the RST packet was sent?
OK, this was easy. The RST was sent simply because the packed was not
dropped but instead delivered to the local IP - there was no
valid tuple to change (unnat) the packed destination. Setting:
iptables -I PREROUTING -m conntrack --ctstate INVALID -j DROP
make no more RSTs, only retransmisions from the 216.34.143.7. And yes, I
have a patched kernel so I'm able to filter packets in a PREROUTING
chain.
The rest of the question remains:
> Setting net.ipv4.netfilter.ip_conntrack_tcp_be_liberal solves the problem,
> but this is not a right fix and now the main question is: was this ACK really
> over the upper bound since when
> net.ipv4.netfilter.ip_conntrack_tcp_be_liberal is enabled it is possible to
> access this page (of course with many netfilter warnings that "ACK is over
> the upper bound").
>
> root at fw1:~# uname -r
> 2.6.20.11
Best regards,
Krzysztof Olędzki
More information about the netfilter-devel
mailing list