Why does this connection stop being tracked?
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Wed Jun 15 13:47:32 CEST 2005
On Wed, 15 Jun 2005, Andy Smith wrote:
> > You have two choices: either disable TCP SACK support on all your
> > real/virtual machines behind your firewall, or upgrade the kernel on the
> > firewall.
>
> Do you have any instructions or a pointer to documentation onhow to
> temporarily disable SACK? If it was a /proc setting that would be
> ideal; I don't really want to have to recompile kernels though.
echo 0 > /proc/sys/net/ipv4/tcp_sack
> > There is a SACK related bug in netfilter connection tracking in
> > 2.6.11 (and below). According to the dumped traffic your connections
> > suffer from packet losses,
>
> Interesting; this may explain why I only notice this when I'm coming
> from 82.44.131.131 - its network is kind of sucky. :)
>
> > SACK kicks in and conntrack screws up tracking
> > the given TCP connections. (Sorry, I can't recall at which rc release was
> > the fix submitted in.)
>
> How sure are you that this is the problem I am seeing?
The dump file shows that the communicating parties advertise sack support
and later on in the traffic they do use sack options. And because living
connections hangs up, that indicates the sack bug. You can simply check it
by disabling sack.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter
mailing list