[Bug 443] 2.6 kernel failing in NAT with significant outbound
traffic
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Apr 10 12:06:32 CEST 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443
------- Additional Comments From kadlec at netfilter.org 2006-04-10 12:06 MET -------
The packet in question is
17:16:20.626142 IP 80.140.102.163.21189 > 172.30.38.33.39199: . ack 1295128653
win 62928 <nop,nop,timestamp 447335664 3846125602,nop,nop,
sack sack 1 {2061947064:2061948432}>
There must be a gear between the client and the server which munges the TCP
sequence numbers: it processes the ACK fields but fails to do so in the SACK
option field.
Check it by disabling ip_conntrack_tcp_be_liberal on the firewall
and disabling SACK on the server.
[Actually, you are in a SACK hole: it is better if you disable SACK on all
of your machines as it is non-functional.]
We should correct the message produced by netfilter in order to make easier
to spot such problems:
ip_ct_tcp: (S)ACK is over the upper bound
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
More information about the netfilter-buglog
mailing list