Re: "random" syn packets dropped

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: "Bjørnar Ness" <bjornar.ness@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: "random" syn packets dropped
Date: Tue, 8 Nov 2016 15:08:57 +0100	[thread overview]
Message-ID: <20161108140857.GE24908@breakpoint.cc> (raw)
In-Reply-To: <CAJO99TnMCZdROCNV9-3xcURbGZVw7X-wKwf-vkUc5Lc3R_QT9A@mail.gmail.com>

Bjørnar Ness <bjornar.ness@gmail.com> wrote:
> I am not sure if this is nftables related, but I post this issue here,
> and see if any of you can come up with a clue to what might be
> going on here.
> 
> Problem description:
> 
> When I create multiple tcp connections from the same client to
> multiple dst hosts at the same time, the n'th syn packet is just
> discarded by "something" in the kernel.
> 
> If I reorder the list of dst hosts, a different dst host will hang in SYN_SENT
> on the client. This setup has been running for about a month, and we have
> no changed that can explain this behavior.
> 
> What I am seeing on the firewall running kernel 4.8.1 is the following:
> 
> * the syn packet enters through the eth1.700 interface (tcdump)
> * nft trace monitoring shows the packet beeing accepted on eth1.300 in
> postrouting.
> * tcpdump on the eth1.300 interface does not show the packet.
> * rp_filter etc should not be kicking in here, (and also, "random"
> hosts are dropped)
> * conntrack table is not full
> * this issue seem to suddenly appeared, is this a known bug?

No.

> * hint? All connections from the client is established from the same
> source port.

can you show conntrack -S output?

Is nat in use?

Does 'perf script net_dropmonitor' show anything?

Thanks.

next prev parent reply	other threads:[~2016-11-08 14:10 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-08 10:35 "random" syn packets dropped Bjørnar Ness
2016-11-08 14:08 ` Florian Westphal [this message]
2016-11-08 19:26   ` Bjørnar Ness
     [not found]     ` <CAJO99T=MK=kPe9NVXPtaHBcurtc6KYnat=YCOtBRsTH-uh-ZLQ@mail.gmail.com>
2016-11-21 10:19       ` Bjørnar Ness
2016-11-21 10:39         ` Florian Westphal
2016-11-24 13:37           ` Bjørnar Ness
2016-11-24 13:56             ` Pablo Neira Ayuso
2016-11-24 18:36               ` Bjørnar Ness
  -- strict thread matches above, loose matches on Subject: below --
2016-11-07 19:45 Bjørnar Ness

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161108140857.GE24908@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=bjornar.ness@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.