Re: Out of window filter catches too much

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pierre Ossman <drzeus-list@drzeus.cx>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@lists.netfilter.org
Subject: Re: Out of window filter catches too much
Date: Wed, 02 Mar 2005 08:59:05 +0100	[thread overview]
Message-ID: <42257249.8050101@drzeus.cx> (raw)
In-Reply-To: <Pine.LNX.4.58.0503010938320.14280@blackhole.kfki.hu>

Jozsef Kadlecsik wrote:

>Hi,
>
>On Sat, 26 Feb 2005, Pierre Ossman wrote:
>
>  
>
>>Since there is only linux machines involved here this must be a kernel
>>bug. Either in the TCP layer or in netfilters detection. Here is a dump
>>from the router when it starts throwing away packets:
>>
>>ip_ct_tcp: SEQ is over the upper bound (over the window of the receiver)
>>IN= OUT= SRC=10.8.0.24 DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64
>>ID=10234 DF PROTO=TCP SPT=3851 DPT=873 SEQ=2763580423 ACK=299956256
>>WINDOW=95 RES=0x00 ACK URGP=0 OPT (0101080AC4C2FDE77E1D58C1)
>>ip_ct_tcp: SEQ is over the upper bound (over the window of the receiver)
>>    
>>
>
>On Mon, 21 Feb 2005 I posted a patch to netfilter-devel which addresses
>this and other issues in TCP window tracking. Please try the patch.
>  
>

I assume you meant:
https://lists.netfilter.org/pipermail/netfilter-devel/2005-February/018598.html

I've tried the patch and it seems to keep it from dropping the ACKs 
which is enough to keep the connection going. I still get some errors 
the other way though:

Mar  2 01:36:22 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=52959 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=3991302411 ACK=1391445765 WINDOW=115 RES=0x00 ACK 
URGP=0 OPT (0101080AD974090C92CE1415)
Mar  2 01:36:24 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=53577 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=3991735363 ACK=1391446225 WINDOW=0 RES=0x00 ACK 
URGP=0 OPT (0101080AD974111492CE1C1D)
Mar  2 01:37:55 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=5615 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=4004321678 ACK=1391476149 WINDOW=74 RES=0x00 ACK 
URGP=0 OPT (0101080AD97576E992CF81EC)
Mar  2 01:37:55 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=5617 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=4004323126 ACK=1391476149 WINDOW=74 RES=0x00 ACK 
URGP=0 OPT (0101080AD97576E992CF81EC)
Mar  2 01:37:55 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=5619 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=4004324574 ACK=1391476149 WINDOW=74 RES=0x00 ACK 
URGP=0 OPT (0101080AD97576E992CF81EC)
Mar  2 01:37:55 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=5621 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=4004326022 ACK=1391476149 WINDOW=74 RES=0x00 ACK 
URGP=0 OPT (0101080AD97576E992CF81EC)
Mar  2 01:37:55 prometheus kernel: ip_ct_tcp: SEQ is over the upper 
bound (over the window of the receiver) IN= OUT= SRC=10.8.0.24 
DST=10.8.5.10 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=5623 DF PROTO=TCP 
SPT=1053 DPT=873 SEQ=4004327470 ACK=1391476149 WINDOW=74 RES=0x00 ACK 
URGP=0 OPT (0101080AD97576E992CF81EC)

Rgds
Pierre

next prev parent reply	other threads:[~2005-03-02  7:59 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-26  0:01 Out of window filter catches too much Pierre Ossman
2005-03-01  8:40 ` Jozsef Kadlecsik
2005-03-02  7:59   ` Pierre Ossman [this message]
2005-03-02  8:10     ` Jozsef Kadlecsik
2005-03-02  8:58       ` Pierre Ossman
2005-03-02  9:03         ` Jozsef Kadlecsik
     [not found]           ` <4226F2D8.4070502@drzeus.cx>
2005-03-03 11:31             ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42257249.8050101@drzeus.cx \
    --to=drzeus-list@drzeus.cx \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.