bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-15 06:42 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-15 06:42 MET ------- So you're saying the problem is that the receiver updates its window multiple times without receiving any data in between, thereby falsely triggering the "dead-peer detection" (as you call it)? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-15 06:42 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-15 06:42 MET ------- So you're saying the problem is that the receiver updates its window multiple times without receiving any data in between, thereby falsely triggering the "dead-peer detection" (as you call it)? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-15 07:53 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From georgeh@anstat.com.au 2006-09-15 07:52 MET ------- Yes. That's what the tcpdump is showing. As I understand it, the receiver can advertise a new window if the available window increases by one MSS or half the buffer space. In this case, it seems to send the 1st window advertisement when the window increases by 1 MSS, and then more whenever the window size (roughly) doubles. In this case, the receiver (apache-server) is a Red Hat ES3 installation which is based on the 2.4.21 kernel, and the sender (tomcat-server) is a Red Hat ES4 installation, which is based on the 2.6.9 kernel. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-15 08:21 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-15 08:21 MET ------- I'm a bit surprised why the receiver would increase the window size (even multiple times) without receiving data. Can you show a dump of this behaviour please? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-15 08:21 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-15 08:21 MET ------- I'm a bit surprised why the receiver would increase the window size (even multiple times) without receiving data. Can you show a dump of this behaviour please? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 03:02 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From georgeh@anstat.com.au 2006-09-18 03:02 MET ------- A tcpdump is included in the original bug report. As I understand it, the window is increased as data is moved from kernel's TCP buffer to the application, thereby freeing up the buffer. As more buffer-space becomes available, the window is opened further. The example shows 3 additional window-advertisements, sent over the space of almost 1 second. I can generate more examples if you wish, as it happens fairly frequently in the course of a day. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 07:43 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec@netfilter.org
Status|NEW |ASSIGNED
------- Additional Comments From kaber@trash.net 2006-09-18 07:43 MET -------
I missed your tcpdump, thanks. Your patch seems fine to me (we could maybe save
a few bytes by using bitfields for some other members, but thats something for a
different patch). Jozsef, do you have any objections against applying this?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 07:43 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec@netfilter.org
Status|NEW |ASSIGNED
------- Additional Comments From kaber@trash.net 2006-09-18 07:43 MET -------
I missed your tcpdump, thanks. Your patch seems fine to me (we could maybe save
a few bytes by using bitfields for some other members, but thats something for a
different patch). Jozsef, do you have any objections against applying this?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 07:43 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec@netfilter.org
Status|NEW |ASSIGNED
------- Additional Comments From kaber@trash.net 2006-09-18 07:43 MET -------
I missed your tcpdump, thanks. Your patch seems fine to me (we could maybe save
a few bytes by using bitfields for some other members, but thats something for a
different patch). Jozsef, do you have any objections against applying this?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 10:21 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kadlec@netfilter.org 2006-09-18 10:21 MET ------- No, nothing, it does improve dead-peer detection. Feel free to apply the patch. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 10:21 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kadlec@netfilter.org 2006-09-18 10:21 MET ------- No, nothing, it does improve dead-peer detection. Feel free to apply the patch. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 12:23 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-18 12:23 MET ------- Great, thanks. George, can you add a Signed-off-by: line please so I can apply the patch? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 12:23 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-18 12:23 MET ------- Great, thanks. George, can you add a Signed-off-by: line please so I can apply the patch? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-18 12:23 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-18 12:23 MET ------- Great, thanks. George, can you add a Signed-off-by: line please so I can apply the patch? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-20 00:33 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
------- Additional Comments From georgeh@anstat.com.au 2006-09-20 00:33 MET
-------
Signed-off-by: George Hansper
For the record, there are 2 work-arounds for this bug:
1/. Don't use connection tracking, use a "stateless" packet-filter
rule instead
eg on the tomcat-server
iptables -A INPUT -p tcp -s apache-server --dport 8009 -j ACCEPT
iptables -A OUTPUT -p tcp -d apache-server --sport 8009 ! --syn -j ACCEPT
-- or --- (nicer)
2/. tweak the setting:
echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-20 00:33 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
------- Additional Comments From georgeh@anstat.com.au 2006-09-20 00:33 MET
-------
Signed-off-by: George Hansper
For the record, there are 2 work-arounds for this bug:
1/. Don't use connection tracking, use a "stateless" packet-filter
rule instead
eg on the tomcat-server
iptables -A INPUT -p tcp -s apache-server --dport 8009 -j ACCEPT
iptables -A OUTPUT -p tcp -d apache-server --sport 8009 ! --syn -j ACCEPT
-- or --- (nicer)
2/. tweak the setting:
echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-20 08:38 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From kaber@trash.net 2006-09-20 08:38 MET -------
Applied, thanks. Closing ..
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-20 08:38 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From kaber@trash.net 2006-09-20 08:38 MET -------
Applied, thanks. Closing ..
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Sep-20 08:38 UTC
[Bug 511] Premature ip_conntrack timer expiry on 3+ window size advertisements
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From kaber@trash.net 2006-09-20 08:38 MET -------
Applied, thanks. Closing ..
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
Possibly Parallel Threads
- [Bug 511] New: Premature ip_conntrack timer expiry on 3+ window size advertisements
- [Bug 738] New: reading beyond buffer limits in nf_conntrack_proto_tcp.c::tcp_options()
- [Bug 755] New: change bugzilla account e-mail
- [Bug 549] kernel oops when trying to remove ip_conntrack module
- [Bug 576] New: ip6tables maks auto configuration packages as INVALID