From: "Dâniel Fraga" <fragabr@gmail.com>
To: "Ilpo Järvinen" <ilpo.jarvinen@helsinki.fi>
Cc: David Miller <davem@davemloft.net>,
thomas.jarosch@intra2net.com, billfink@mindspring.com,
Netdev <netdev@vger.kernel.org>, Patrick Hardy <kaber@trash.net>,
sr@securenet.de, netfilter-devel@vger.kernel.org,
kadlec@blackhole.kfki.hu
Subject: Re: [PATCH] tcp FRTO: in-order-only "TCP proxy" fragility workaround
Date: Tue, 19 Aug 2008 21:34:17 -0300 [thread overview]
Message-ID: <20080819213417.45133573@tux> (raw)
In-Reply-To: <Pine.LNX.4.64.0808181042290.23854@wrl-59.cs.helsinki.fi>
On Tue, 19 Aug 2008 13:38:35 +0300 (EEST)
"Ilpo Järvinen" <ilpo.jarvinen@helsinki.fi> wrote:
> Perhaps, though it's not at all clear how it could do that...
I was thinking here of of some specific configuration I use.
For example, I always used the wonder shaper htb script:
http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2241
Could HTB mess with frto or cause this problem? Would it be
useful to disable completely HTB and use just the default scheduler?
> Do you have net namespaces enabled CONFIG_NET_NS in .config?
I couldn't find this specific option:
fraga@tux /usr/src/linux$ grep CONFIG_NET_NS .config
fraga@tux /usr/src/linux$
But I have those:
fraga@tux /usr/src/linux$ grep CONFIG_NET_ .config
# CONFIG_NET_KEY is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
CONFIG_NET_SCHED=y
# CONFIG_NET_SCH_CBQ is not set
CONFIG_NET_SCH_HTB=m
# CONFIG_NET_SCH_HFSC is not set
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
# CONFIG_NET_SCH_TEQL is not set
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
# CONFIG_NET_SCH_NETEM is not set
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_CLS=y
# CONFIG_NET_CLS_BASIC is not set
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_NET_CLS_RSVP=m
# CONFIG_NET_CLS_RSVP6 is not set
# CONFIG_NET_CLS_FLOW is not set
# CONFIG_NET_EMATCH is not set
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=y
# CONFIG_NET_ACT_GACT is not set
# CONFIG_NET_ACT_MIRRED is not set
# CONFIG_NET_ACT_IPT is not set
# CONFIG_NET_ACT_NAT is not set
# CONFIG_NET_ACT_PEDIT is not set
# CONFIG_NET_ACT_SIMP is not set
# CONFIG_NET_CLS_IND is not set
CONFIG_NET_SCH_FIFO=y
# CONFIG_NET_PKTGEN is not set
# CONFIG_NET_9P is not set
# CONFIG_NET_SB1000 is not set
CONFIG_NET_ETHERNET=y
# CONFIG_NET_VENDOR_3COM is not set
# CONFIG_NET_TULIP is not set
CONFIG_NET_PCI=y
# CONFIG_NET_POCKET is not set
# CONFIG_NET_FC is not set
# CONFIG_NET_POLL_CONTROLLER is not set
And that:
fraga@tux /usr/src/linux$ grep NAMESPACE .config
CONFIG_NAMESPACES=y
but this one, I think, isn't related to what you asked me.
> Any netfilter (iptables) rules on server which could cause those packets
> to not reach TCP layer?
Here are the complete rules:
# Generated by iptables-save v1.3.8 on Tue Aug 19 21:28:12 2008
*filter
:INPUT DROP [627:34387]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [58771289:83128359870]
:DROP_INPUT - [0:0]
:FLDR - [0:0]
:LDR - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP_INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,21,25,53,119,443,873,993,995
-A INPUT -s 192.168.102.1 -p tcp -m tcp --dport 3493 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 1194:1196 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LDR
-A FORWARD -j FLDR
-A DROP_INPUT -s 216.201.112.111 -m comment --comment "deborahsafe Spam" -j DROP
-A DROP_INPUT -s 200.49.247.241 -p tcp -m tcp --dport 22 -j DROP
-A DROP_INPUT -s 189.70.204.3 -p tcp -m tcp --dport 21 -j DROP
-A DROP_INPUT -s 189.70.204.3 -p tcp -m tcp --dport 21 -j DROP
-A DROP_INPUT -s 189.70.204.3 -p tcp -m tcp --dport 21 -j DROP
-A FLDR -j LOG --log-prefix "DROP [FORWARD]: " --log-level 6 --log-ip-options
-A FLDR -j DROP
-A LDR -j LOG --log-prefix "DROP [INPUT]: " --log-level 6 --log-ip-options
-A LDR -j DROP
COMMIT
# Completed on Tue Aug 19 21:28:13 2008
As you can see, it's a preetty simple set of rules, nothing exotic here.
> MIBs might give some clue why those segments didn't get accepted. Most
> interesting ones are PAWSEstab, TCPAbortOnSyn and InErrs. One can use
> /bin/cut to read those from the one-line files if one wants to (however,
> I attached a script which transposes them to get them somewhat
> human-readable). Also having the /proc/net/tcp output from the server
> while stalling would be (have been) useful to reveal state info (but I
> should have remembered to ask you to run it on both of them :-)).
Ok ;) No problem, when I get the problem, I'll provide you the requested
information.
> Also, I wonder what that [|tcp] hides, e.g., "<nop,nop,timestamp
> 15980976 70381399,nop,nop,[|tcp]>" in tcpdump (and that was for an ACK
> which doesn't make too much sense to me there). It occurs because
> snaplen which was given for tcpdump is small enough to make TCP header
> partial.
Hmmm, I don't know. This is complex to me, but I'll apply your script.
Thank you!
--
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-08-20 0:34 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-26 8:47 Transfer stalls with NAT under 2.6.24.3 Sven Riedel
2008-03-26 9:24 ` Patrick McHardy
2008-03-26 10:21 ` Sven Riedel
2008-03-26 15:47 ` Patrick McHardy
2008-03-26 18:45 ` Jozsef Kadlecsik
2008-03-26 19:16 ` Krzysztof Oledzki
2008-03-31 6:53 ` Sven Riedel
2008-07-04 14:54 ` TCP connection stalls under 2.6.24.7 Thomas Jarosch
2008-07-04 20:58 ` Jozsef Kadlecsik
2008-07-04 21:04 ` Jozsef Kadlecsik
2008-07-07 9:18 ` Thomas Jarosch
2008-07-07 13:18 ` Thomas Jarosch
2008-07-10 13:17 ` Jozsef Kadlecsik
2008-07-10 14:12 ` Thomas Jarosch
2008-07-10 21:21 ` Jozsef Kadlecsik
2008-07-11 14:33 ` Thomas Jarosch
2008-07-15 11:47 ` Thomas Jarosch
2008-07-15 16:10 ` Thomas Jarosch
2008-07-15 18:30 ` Dâniel Fraga
2008-07-31 4:47 ` Dâniel Fraga
2008-07-31 7:39 ` Ilpo Järvinen
2008-08-02 12:24 ` Dâniel Fraga
2008-07-15 20:17 ` Ilpo Järvinen
2008-07-16 8:07 ` Thomas Jarosch
2008-07-16 9:03 ` Thomas Jarosch
2008-07-17 13:55 ` Ilpo Järvinen
2008-07-17 15:15 ` Thomas Jarosch
2008-07-17 15:53 ` Ilpo Järvinen
2008-07-18 9:14 ` Thomas Jarosch
2008-07-18 13:55 ` Ilpo Järvinen
2008-07-18 14:02 ` Thomas Jarosch
2008-07-19 7:35 ` Ilpo Järvinen
2008-07-25 10:00 ` Ilpo Järvinen
2008-07-25 13:00 ` Thomas Jarosch
2008-07-25 14:06 ` Ilpo Järvinen
2008-07-25 15:34 ` Thomas Jarosch
2008-07-31 7:39 ` Thomas Jarosch
2008-07-31 12:44 ` Dâniel Fraga
2008-07-31 13:47 ` Thomas Jarosch
2008-07-31 14:11 ` Dâniel Fraga
2008-08-06 18:53 ` Dâniel Fraga
2008-08-07 6:54 ` Ilpo Järvinen
2008-08-07 11:50 ` Denys Fedoryshchenko
2008-08-07 12:11 ` Thomas Jarosch
2008-08-07 12:14 ` Ilpo Järvinen
2008-08-07 12:23 ` Denys Fedoryshchenko
2008-08-08 9:56 ` Ilpo Järvinen
2008-08-08 10:32 ` Denys Fedoryshchenko
2008-08-07 11:33 ` [PATCH] tcp FRTO: in-order-only "TCP proxy" fragility workaround Ilpo Järvinen
2008-08-08 4:42 ` Bill Fink
2008-08-08 10:32 ` Ilpo Järvinen
2008-08-11 21:44 ` David Miller
2008-08-12 7:46 ` Thomas Jarosch
2008-08-12 8:18 ` David Miller
2008-08-12 17:43 ` Dâniel Fraga
2008-08-12 17:52 ` Ilpo Järvinen
2008-08-13 17:53 ` Dâniel Fraga
2008-08-13 18:34 ` Ilpo Järvinen
2008-08-15 4:34 ` Dâniel Fraga
2008-08-15 7:06 ` Ilpo Järvinen
2008-08-15 21:35 ` Dâniel Fraga
2008-08-15 22:06 ` Ilpo Järvinen
2008-08-15 23:57 ` Dâniel Fraga
2008-08-16 2:15 ` Dâniel Fraga
2008-08-16 7:10 ` Ilpo Järvinen
2008-08-16 19:18 ` Ilpo Järvinen
2008-08-17 0:36 ` Dâniel Fraga
2008-08-19 10:38 ` Ilpo Järvinen
2008-08-20 0:34 ` Dâniel Fraga [this message]
2008-08-20 7:57 ` Ilpo Järvinen
2008-08-20 12:37 ` Ilpo Järvinen
2008-08-22 21:32 ` Dâniel Fraga
2008-08-22 21:37 ` David Miller
2008-08-23 14:14 ` Dâniel Fraga
2008-08-23 14:38 ` Ilpo Järvinen
2008-08-24 19:38 ` Dâniel Fraga
2008-08-26 14:10 ` Ilpo Järvinen
2008-08-26 14:32 ` Ilpo Järvinen
2008-08-26 17:18 ` Dâniel Fraga
2008-08-26 20:40 ` Ilpo Järvinen
2008-08-26 21:17 ` Dâniel Fraga
2008-08-27 10:22 ` Ilpo Järvinen
2008-08-27 19:51 ` Dâniel Fraga
2008-08-27 20:32 ` Ilpo Järvinen
2008-08-27 20:50 ` Dâniel Fraga
2008-08-27 21:25 ` Ilpo Järvinen
2008-08-27 21:42 ` Dâniel Fraga
2008-08-27 22:24 ` Dâniel Fraga
2008-08-28 21:49 ` Dâniel Fraga
2008-08-29 13:07 ` Ilpo Järvinen
2008-08-29 17:41 ` Dâniel Fraga
2008-09-01 7:11 ` Ilpo Järvinen
2008-08-30 6:56 ` Dâniel Fraga
2008-09-01 7:11 ` Ilpo Järvinen
2008-09-07 8:17 ` Dâniel Fraga
2008-09-08 10:27 ` Ilpo Järvinen
2008-09-08 20:20 ` Dâniel Fraga
2008-09-11 13:44 ` Ilpo Järvinen
2008-09-11 17:30 ` Dâniel Fraga
2008-09-12 10:16 ` Ilpo Järvinen
2008-09-13 23:31 ` Dâniel Fraga
2008-09-16 12:10 ` Ilpo Järvinen
2008-09-16 14:24 ` Dâniel Fraga
2008-09-17 10:23 ` Ilpo Järvinen
2008-09-18 20:35 ` Dâniel Fraga
2008-09-18 21:04 ` Ilpo Järvinen
2008-09-21 3:02 ` Dâniel Fraga
2008-09-22 4:23 ` Dâniel Fraga
2008-09-22 11:22 ` Ilpo Järvinen
2008-09-22 16:13 ` Dâniel Fraga
2008-09-15 19:42 ` Dâniel Fraga
2008-09-11 18:12 ` Dâniel Fraga
2008-08-15 21:59 ` Dâniel Fraga
2008-08-13 8:00 ` Thomas Jarosch
2008-08-22 21:18 ` Ilpo Järvinen
2008-08-11 21:41 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2008-08-25 16:45 Thomas Jarosch
2008-08-26 12:03 ` Ilpo Järvinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080819213417.45133573@tux \
--to=fragabr@gmail.com \
--cc=billfink@mindspring.com \
--cc=davem@davemloft.net \
--cc=ilpo.jarvinen@helsinki.fi \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=sr@securenet.de \
--cc=thomas.jarosch@intra2net.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.