netfilter buglog - Jul 2006 - [Bug 464] state match sometimes failes RELATED,ESTABLISHED matches

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-15 18:38 MET
-------
Jurgen: you are behind a box which doesn't understand the SACK option.  From
your trace:

02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P
237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196
2027250>
02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994
win 32406 <nop,nop,timestamp 2027266 229941849>
02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434
win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1
{1715655389:1715656829}>  <-----------  SACK sequence numbers not adjusted

Whatever device you are behind (upstream) isn't adjusting the SACK sequence
numbers approrpriately.  Unless you control that upstream device, you have only
two options:

- disable TCP window tracking in conntrack in the firewall:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

- disable SACK support on all of your machines behind the firewall:

echo 0 > /proc/sys/net/ipv4/tcp_sack

Joerg: awaiting example from a non-braindead site.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-15 18:38 MET
-------
Jurgen: you are behind a box which doesn't understand the SACK option.  From
your trace:

02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P
237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196
2027250>
02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994
win 32406 <nop,nop,timestamp 2027266 229941849>
02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434
win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1
{1715655389:1715656829}>  <-----------  SACK sequence numbers not adjusted

Whatever device you are behind (upstream) isn't adjusting the SACK sequence
numbers approrpriately.  Unless you control that upstream device, you have only
two options:

- disable TCP window tracking in conntrack in the firewall:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

- disable SACK support on all of your machines behind the firewall:

echo 0 > /proc/sys/net/ipv4/tcp_sack

Joerg: awaiting example from a non-braindead site.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-15 18:38 MET
-------
Jurgen: you are behind a box which doesn't understand the SACK option.  From
your trace:

02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P
237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196
2027250>
02:52:32.252981 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237226994
win 32406 <nop,nop,timestamp 2027266 229941849>
02:52:32.303200 IP 84.132.150.225.32805 > 134.76.88.65.11064: . ack 237228434
win 32406 <nop,nop,timestamp 2027314 229941865,nop,nop,sack 1
{1715655389:1715656829}>  <-----------  SACK sequence numbers not adjusted

Whatever device you are behind (upstream) isn't adjusting the SACK sequence
numbers approrpriately.  Unless you control that upstream device, you have only
two options:

- disable TCP window tracking in conntrack in the firewall:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

- disable SACK support on all of your machines behind the firewall:

echo 0 > /proc/sys/net/ipv4/tcp_sack

Joerg: awaiting example from a non-braindead site.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From holm@theorie.physik.uni-goettingen.de 
2006-07-16 11:55 MET -------
(In reply to comment #27)
> Jurgen: you are behind a box which doesn't understand the SACK option.
- My Siemens Gigaset DSL Router with linux 2.4.17 ??
- German telecom ??
> .. 
> - disable TCP window tracking in conntrack in the firewall:
> 
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
That's it!

So, this is the bug: no documntations at all in /usr/src/linux/Documentation
This is important, because of the the change in behavior from 2.6.8.1 to new
kernels.

According to
http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html
you run into the same trouble with e.g. intel's "Premier" service
download
servers (Microsoft IIS)

So, ip_conntrack_tcp_be_liberal should default to 1

jh

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From holm@theorie.physik.uni-goettingen.de 
2006-07-16 11:55 MET -------
(In reply to comment #27)
> Jurgen: you are behind a box which doesn't understand the SACK option.
- My Siemens Gigaset DSL Router with linux 2.4.17 ??
- German telecom ??
> .. 
> - disable TCP window tracking in conntrack in the firewall:
> 
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
That's it!

So, this is the bug: no documntations at all in /usr/src/linux/Documentation
This is important, because of the the change in behavior from 2.6.8.1 to new
kernels.

According to
http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html
you run into the same trouble with e.g. intel's "Premier" service
download
servers (Microsoft IIS)

So, ip_conntrack_tcp_be_liberal should default to 1

jh

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From holm@theorie.physik.uni-goettingen.de 
2006-07-16 11:55 MET -------
(In reply to comment #27)
> Jurgen: you are behind a box which doesn't understand the SACK option.
- My Siemens Gigaset DSL Router with linux 2.4.17 ??
- German telecom ??
> .. 
> - disable TCP window tracking in conntrack in the firewall:
> 
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
That's it!

So, this is the bug: no documntations at all in /usr/src/linux/Documentation
This is important, because of the the change in behavior from 2.6.8.1 to new
kernels.

According to
http://lists.netfilter.org/pipermail/netfilter-devel/2005-September/021438.html
you run into the same trouble with e.g. intel's "Premier" service
download
servers (Microsoft IIS)

So, ip_conntrack_tcp_be_liberal should default to 1

jh

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-16 18:53 MET
-------
(In reply to comment #28)
> So, ip_conntrack_tcp_be_liberal should default to 1
No, it should be 1 only if you are behind broken routers or firewalls.  Most of
the world is not, and enabling TCP window tracking by default is a good security
measure.  I'm afraid this will not change.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-16 18:53 MET
-------
(In reply to comment #28)
> So, ip_conntrack_tcp_be_liberal should default to 1
No, it should be 1 only if you are behind broken routers or firewalls.  Most of
the world is not, and enabling TCP window tracking by default is a good security
measure.  I'm afraid this will not change.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-07-16 18:53 MET
-------
(In reply to comment #28)
> So, ip_conntrack_tcp_be_liberal should default to 1
No, it should be 1 only if you are behind broken routers or firewalls.  Most of
the world is not, and enabling TCP window tracking by default is a good security
measure.  I'm afraid this will not change.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From netfilter@linuxace.com  2006-07-26 03:50 MET
-------
Joerg: when you are able to find a valid, reproducable problem, please open a
NEW bugzilla entry with the details.  All the data on this bug entry has thus
far proven to be unreliable.  

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From netfilter@linuxace.com  2006-07-26 03:50 MET
-------
Joerg: when you are able to find a valid, reproducable problem, please open a
NEW bugzilla entry with the details.  All the data on this bug entry has thus
far proven to be unreliable.  

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From netfilter@linuxace.com  2006-07-26 03:50 MET
-------
Joerg: when you are able to find a valid, reproducable problem, please open a
NEW bugzilla entry with the details.  All the data on this bug entry has thus
far proven to be unreliable.  

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-07-26 10:08 MET
-------
(In reply to comment #30)
> Joerg: when you are able to find a valid, reproducable problem, please open
a
> NEW bugzilla entry with the details.  All the data on this bug entry has
thus
> far proven to be unreliable.  
Will do. ATM I am in a new project and have not much time until things settled a
bit.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-07-26 10:08 MET
-------
(In reply to comment #30)
> Joerg: when you are able to find a valid, reproducable problem, please open
a
> NEW bugzilla entry with the details.  All the data on this bug entry has
thus
> far proven to be unreliable.  
Will do. ATM I am in a new project and have not much time until things settled a
bit.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-07-26 10:08 MET
-------
(In reply to comment #30)
> Joerg: when you are able to find a valid, reproducable problem, please open
a
> NEW bugzilla entry with the details.  All the data on this bug entry has
thus
> far proven to be unreliable.  
Will do. ATM I am in a new project and have not much time until things settled a
bit.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-07-26 10:08 MET
-------
(In reply to comment #30)
> Joerg: when you are able to find a valid, reproducable problem, please open
a
> NEW bugzilla entry with the details.  All the data on this bug entry has
thus
> far proven to be unreliable.  
Will do. ATM I am in a new project and have not much time until things settled a
bit.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.