bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-15 18:38 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-15 18:38 MET ------- Jurgen: you are behind a box which doesn't understand the SACK option. From your trace: 02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P 237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196 2027250> 02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994 win 32406 <nop,nop,timestamp 2027266 229941849> 02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434 win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1 {1715655389:1715656829}> <----------- SACK sequence numbers not adjusted Whatever device you are behind (upstream) isn't adjusting the SACK sequence numbers approrpriately. Unless you control that upstream device, you have only two options: - disable TCP window tracking in conntrack in the firewall: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - disable SACK support on all of your machines behind the firewall: echo 0 > /proc/sys/net/ipv4/tcp_sack Joerg: awaiting example from a non-braindead site. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-15 18:38 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-15 18:38 MET ------- Jurgen: you are behind a box which doesn't understand the SACK option. From your trace: 02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P 237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196 2027250> 02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994 win 32406 <nop,nop,timestamp 2027266 229941849> 02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434 win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1 {1715655389:1715656829}> <----------- SACK sequence numbers not adjusted Whatever device you are behind (upstream) isn't adjusting the SACK sequence numbers approrpriately. Unless you control that upstream device, you have only two options: - disable TCP window tracking in conntrack in the firewall: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - disable SACK support on all of your machines behind the firewall: echo 0 > /proc/sys/net/ipv4/tcp_sack Joerg: awaiting example from a non-braindead site. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-15 18:38 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-15 18:38 MET ------- Jurgen: you are behind a box which doesn't understand the SACK option. From your trace: 02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P 237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196 2027250> 02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994 win 32406 <nop,nop,timestamp 2027266 229941849> 02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434 win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1 {1715655389:1715656829}> <----------- SACK sequence numbers not adjusted Whatever device you are behind (upstream) isn't adjusting the SACK sequence numbers approrpriately. Unless you control that upstream device, you have only two options: - disable TCP window tracking in conntrack in the firewall: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - disable SACK support on all of your machines behind the firewall: echo 0 > /proc/sys/net/ipv4/tcp_sack Joerg: awaiting example from a non-braindead site. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 11:55 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From holm@theorie.physik.uni-goettingen.de 2006-07-16 11:55 MET ------- (In reply to comment #27)> Jurgen: you are behind a box which doesn't understand the SACK option.- My Siemens Gigaset DSL Router with linux 2.4.17 ?? - German telecom ??> .. > - disable TCP window tracking in conntrack in the firewall: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberalThat's it! So, this is the bug: no documntations at all in /usr/src/linux/Documentation This is important, because of the the change in behavior from 2.6.8.1 to new kernels. According to http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html you run into the same trouble with e.g. intel's "Premier" service download servers (Microsoft IIS) So, ip_conntrack_tcp_be_liberal should default to 1 jh -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 11:55 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From holm@theorie.physik.uni-goettingen.de 2006-07-16 11:55 MET ------- (In reply to comment #27)> Jurgen: you are behind a box which doesn't understand the SACK option.- My Siemens Gigaset DSL Router with linux 2.4.17 ?? - German telecom ??> .. > - disable TCP window tracking in conntrack in the firewall: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberalThat's it! So, this is the bug: no documntations at all in /usr/src/linux/Documentation This is important, because of the the change in behavior from 2.6.8.1 to new kernels. According to http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html you run into the same trouble with e.g. intel's "Premier" service download servers (Microsoft IIS) So, ip_conntrack_tcp_be_liberal should default to 1 jh -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 11:55 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From holm@theorie.physik.uni-goettingen.de 2006-07-16 11:55 MET ------- (In reply to comment #27)> Jurgen: you are behind a box which doesn't understand the SACK option.- My Siemens Gigaset DSL Router with linux 2.4.17 ?? - German telecom ??> .. > - disable TCP window tracking in conntrack in the firewall: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberalThat's it! So, this is the bug: no documntations at all in /usr/src/linux/Documentation This is important, because of the the change in behavior from 2.6.8.1 to new kernels. According to http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html you run into the same trouble with e.g. intel's "Premier" service download servers (Microsoft IIS) So, ip_conntrack_tcp_be_liberal should default to 1 jh -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 18:53 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-16 18:53 MET ------- (In reply to comment #28)> So, ip_conntrack_tcp_be_liberal should default to 1No, it should be 1 only if you are behind broken routers or firewalls. Most of the world is not, and enabling TCP window tracking by default is a good security measure. I'm afraid this will not change. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 18:53 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-16 18:53 MET ------- (In reply to comment #28)> So, ip_conntrack_tcp_be_liberal should default to 1No, it should be 1 only if you are behind broken routers or firewalls. Most of the world is not, and enabling TCP window tracking by default is a good security measure. I'm afraid this will not change. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-16 18:53 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-07-16 18:53 MET ------- (In reply to comment #28)> So, ip_conntrack_tcp_be_liberal should default to 1No, it should be 1 only if you are behind broken routers or firewalls. Most of the world is not, and enabling TCP window tracking by default is a good security measure. I'm afraid this will not change. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 03:51 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-07-26 03:50 MET ------- Joerg: when you are able to find a valid, reproducable problem, please open a NEW bugzilla entry with the details. All the data on this bug entry has thus far proven to be unreliable. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 03:51 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-07-26 03:50 MET ------- Joerg: when you are able to find a valid, reproducable problem, please open a NEW bugzilla entry with the details. All the data on this bug entry has thus far proven to be unreliable. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 03:51 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-07-26 03:50 MET ------- Joerg: when you are able to find a valid, reproducable problem, please open a NEW bugzilla entry with the details. All the data on this bug entry has thus far proven to be unreliable. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 10:09 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-07-26 10:08 MET ------- (In reply to comment #30)> Joerg: when you are able to find a valid, reproducable problem, please open a > NEW bugzilla entry with the details. All the data on this bug entry has thus > far proven to be unreliable.Will do. ATM I am in a new project and have not much time until things settled a bit. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 10:09 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-07-26 10:08 MET ------- (In reply to comment #30)> Joerg: when you are able to find a valid, reproducable problem, please open a > NEW bugzilla entry with the details. All the data on this bug entry has thus > far proven to be unreliable.Will do. ATM I am in a new project and have not much time until things settled a bit. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 10:09 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-07-26 10:08 MET ------- (In reply to comment #30)> Joerg: when you are able to find a valid, reproducable problem, please open a > NEW bugzilla entry with the details. All the data on this bug entry has thus > far proven to be unreliable.Will do. ATM I am in a new project and have not much time until things settled a bit. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jul-26 10:09 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-07-26 10:08 MET ------- (In reply to comment #30)> Joerg: when you are able to find a valid, reproducable problem, please open a > NEW bugzilla entry with the details. All the data on this bug entry has thus > far proven to be unreliable.Will do. ATM I am in a new project and have not much time until things settled a bit. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
Seemingly Similar Threads
- [Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
- [Bug 443] 2.6 kernel failing in NAT with significant outbound traffic
- [Bug 443] 2.6 kernel failing in NAT with significant outbound traffic
- [Bug 36866] New: blank screen with my card/chipset combination
- SMB Problem