Re: Why does this connection stop being tracked?

[Andy Smith <andy@strugglers.net>]

[-- Attachment #1: Type: text/plain, Size: 1686 bytes --]

Thanks Jozsef for looking at this.

On Wed, Jun 15, 2005 at 01:18:38PM +0200, Jozsef Kadlecsik wrote:
> On Tue, 14 Jun 2005, Andy Smith wrote:
> 
> > In dom0 I have iptables running, with the eb-nf support of linux
> > 2.6.11 and the physdev module loaded so that I can match traffic
> > coming in to each of my user domains.
> [...]
> > Now, I have noticed that while this works most of the time, for
> > reasons unknown to me, some TCP connections just seem to stop being
> > tracked and hit the DROP rule.  Even though they have been tracked
> > fine for several hours.  This happens on every user domain to all
> > kinds of TCP connections, but I have pared the ruleset down to just
> > the one domain (strugglers.net) and SSH to demonstrate.
> 
> You have two choices: either disable TCP SACK support on all your
> real/virtual machines behind your firewall, or upgrade the kernel on the
> firewall.

Do you have any instructions or a pointer to documentation onhow to
temporarily disable SACK?  If it was a /proc setting that would be
ideal; I don't really want to have to recompile kernels though.

> There is a SACK related bug in netfilter connection tracking in
> 2.6.11 (and below).  According to the dumped traffic your connections
> suffer from packet losses,
        
Interesting; this may explain why I only notice this when I'm coming
from 82.44.131.131 - its network is kind of sucky. :)

>        SACK kicks in and conntrack screws up tracking
> the given TCP connections. (Sorry, I can't recall at which rc release was
> the fix submitted in.)

How sure are you that this is the problem I am seeing?

Thanks again for your help.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]