Jozsef Kadlecsik wrote: > On Wed, 1 Dec 2004, Ludwig Nussel wrote: > > With TCP window tracking those rules no longer work for services > > that use fixed ports (e.g. NFS) and one side crashes or terminates > > the connection in other ways without notifying the peer (e.g. link > > down). When the crashed machine comes up again and tries to > > reestablish the connection it sends a SYN. The remote end finds that > > confusing and replies with an ACK as probe. Since that ACK does not > > fit any window it's discarded as INVALID. > > The remote end must send an ACK segment which is in the window (see > RFC793, p68), thus the window tracking code could let it through. My description probably wasn't unambiguous. The client has the packetfilter, crashes and reboots. The server does not notice and just sees an out of sequence SYN for an existing connection (same ip/port). The server responds with an ACK which contains the sequence numbers it expects for that connection (p36 in above cited rfc). On the client side this ACK does not belong to the SYN it sent and is discarded whereas it should be answered with RST. > > The remote side can now > > sit there forever sending ACKs and no new connection can be > > established. Previously, without window tracking, the ACK was > > accepted and answered with RST, the remote closed the connection and > > a new one could be established. > > > > Is there a way to disable the window tracking and revert to the old > > behavior? > > Yes, you can disable it anytime: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal Doesn't help. > But a full tcpdump from such a session and the log entries on the > invalid packets would be useful for us to recheck the code. tcpdump file attached. 192.168.42.1 is the server and 192.168.42.2 the client with packetfilter. The log of a dropped ACK packet looks like this: SRC=192.168.42.1 DST=192.168.42.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26022 DF PROTO=TCP SPT=9999 DPT=8888 WINDOW=1448 RES=0x00 ACK URGP=0 OPT (0101080A015EB588FFFD6ED1) cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/