ip_conntrack fails to track Windows Vista TCP connection

ip_conntrack fails to track Windows Vista TCP connection

[Fischer, Anna]

I am trying to track (and NAT) a TCP connection to a Windows Vista machine using ip_conntrack. However, Vista uses the Nagle algorithm combined with the TCP Delayed ACK mechanism which does not ACK every single packet, and it seems as if the connection tracking module has problems with this. Basically it fails to recognize Delayed ACK packets, and as these are not picked up by the connection tracking module, my NAT function does not work and so packets are not delivered properly because they are not rewritten by ip_nat. I am certain that the problem is the Vista TCP stack and its mechanisms as when I configure my Windows Vista machine with Nagle = off and TCPNODelay = 1, then actually connection tracking works fine. Also, all connections with Linux machines are tracked properly.

Is this a known issue?

Thanks,
Anna

Re: ip_conntrack fails to track Windows Vista TCP connection

[Patrick McHardy]

Fischer, Anna wrote:
> I am trying to track (and NAT) a TCP connection to a Windows Vista machine using ip_conntrack. However, Vista uses the Nagle algorithm combined with the TCP Delayed ACK mechanism which does not ACK every single packet, and it seems as if the connection tracking module has problems with this. Basically it fails to recognize Delayed ACK packets, and as these are not picked up by the connection tracking module, my NAT function does not work and so packets are not delivered properly because they are not rewritten by ip_nat. I am certain that the problem is the Vista TCP stack and its mechanisms as when I configure my Windows Vista machine with Nagle = off and TCPNODelay = 1, then actually connection tracking works fine. Also, all connections with Linux machines are tracked properly.
>
> Is this a known issue?

You're mentioning ip_conntrack, which is obsoleted for multiple
years now. Which kernel version are you using?

Re: ip_conntrack fails to track Windows Vista TCP connection

[Jan Engelhardt]

On Monday 2010-06-14 18:15, Patrick McHardy wrote:

> Fischer, Anna wrote:
>> I am trying to track (and NAT) a TCP connection to a Windows Vista machine
>> using ip_conntrack. However, Vista uses the Nagle algorithm combined with the
>> TCP Delayed ACK mechanism which does not ACK every single packet, and it seems
>> as if the connection tracking module has problems with this. Basically it
>> fails to recognize Delayed ACK packets, and as these are not picked up by the
>> connection tracking module, my NAT function does not work and so packets are
>> not delivered properly because they are not rewritten by ip_nat. I am certain
>> that the problem is the Vista TCP stack and its mechanisms as when I configure
>> my Windows Vista machine with Nagle = off and TCPNODelay = 1, then actually
>> connection tracking works fine. Also, all connections with Linux machines are
>> tracked properly.
>>
>> Is this a known issue?
>
> You're mentioning ip_conntrack, which is obsoleted for multiple
> years now. Which kernel version are you using?

By definition of ip_conntrack, that must be older than 2.6.20.

RE: ip_conntrack fails to track Windows Vista TCP connection

[Fischer, Anna]

> Subject: Re: ip_conntrack fails to track Windows Vista TCP connection
> 
> On Monday 2010-06-14 18:15, Patrick McHardy wrote:
> 
> > Fischer, Anna wrote:
> >> I am trying to track (and NAT) a TCP connection to a Windows Vista
> machine
> >> using ip_conntrack. However, Vista uses the Nagle algorithm combined
> with the
> >> TCP Delayed ACK mechanism which does not ACK every single packet, and
> it seems
> >> as if the connection tracking module has problems with this.
> Basically it
> >> fails to recognize Delayed ACK packets, and as these are not picked
> up by the
> >> connection tracking module, my NAT function does not work and so
> packets are
> >> not delivered properly because they are not rewritten by ip_nat. I am
> certain
> >> that the problem is the Vista TCP stack and its mechanisms as when I
> configure
> >> my Windows Vista machine with Nagle = off and TCPNODelay = 1, then
> actually
> >> connection tracking works fine. Also, all connections with Linux
> machines are
> >> tracked properly.
> >>
> >> Is this a known issue?
> >
> > You're mentioning ip_conntrack, which is obsoleted for multiple
> > years now. Which kernel version are you using?
> 
> By definition of ip_conntrack, that must be older than 2.6.20.

Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is obsolete, can you let me know if you are aware of such a problem ever having caused any issues? I just want to get a feeling if I am at least roughly on the right track while figuring out what the problem is.

Thanks,
Anna

RE: ip_conntrack fails to track Windows Vista TCP connection

[Jan Engelhardt]

On Monday 2010-06-14 19:34, Fischer, Anna wrote:

>>>> [something about Vista and TCP Delayed ACK]
>>>>
>>>> Is this a known issue?
>>>
>>> You're mentioning ip_conntrack, which is obsoleted for multiple
>>> years now. Which kernel version are you using?
>> 
>> By definition of ip_conntrack, that must be older than 2.6.20.
>
>Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is obsolete, can you let me know if you are aware of such a problem ever having caused any issues? I just want to get a feeling if I am at least roughly on the right track while figuring out what the problem is.

The 2.6.18 has a known problem with DSACK even when both
endpoints are Linux.

RE: ip_conntrack fails to track Windows Vista TCP connection

[Fischer, Anna]

> Subject: RE: ip_conntrack fails to track Windows Vista TCP connection
> 
> 
> On Monday 2010-06-14 19:34, Fischer, Anna wrote:
> 
> >>>> [something about Vista and TCP Delayed ACK]
> >>>>
> >>>> Is this a known issue?
> >>>
> >>> You're mentioning ip_conntrack, which is obsoleted for multiple
> >>> years now. Which kernel version are you using?
> >>
> >> By definition of ip_conntrack, that must be older than 2.6.20.
> >
> >Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is
> obsolete, can you let me know if you are aware of such a problem ever
> having caused any issues? I just want to get a feeling if I am at least
> roughly on the right track while figuring out what the problem is.
> 
> The 2.6.18 has a known problem with DSACK even when both
> endpoints are Linux.

My problem is really very specific to connection tracking and so the problem (bug?) is probably in the ip_conntrack_tcp module. TCP communication actually works fine, also connection tracking on (slow, non-bulk data) TCP traffic works. However, it fails with high throughput connections coming from newer Windows (Vista / 7) machines. If I switch those to TCP_NODELAY then it all works again. 

Re: ip_conntrack fails to track Windows Vista TCP connection

[Narendra Choyal]

How can we make following changes as --
Nagle = off and TCPNODelay = 1

On Mon, Jun 14, 2010 at 11:39 PM, Fischer, Anna <anna.fischer@hp.com> wrote:
>> Subject: RE: ip_conntrack fails to track Windows Vista TCP connection
>>
>>
>> On Monday 2010-06-14 19:34, Fischer, Anna wrote:
>>
>> >>>> [something about Vista and TCP Delayed ACK]
>> >>>>
>> >>>> Is this a known issue?
>> >>>
>> >>> You're mentioning ip_conntrack, which is obsoleted for multiple
>> >>> years now. Which kernel version are you using?
>> >>
>> >> By definition of ip_conntrack, that must be older than 2.6.20.
>> >
>> >Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is
>> obsolete, can you let me know if you are aware of such a problem ever
>> having caused any issues? I just want to get a feeling if I am at least
>> roughly on the right track while figuring out what the problem is.
>>
>> The 2.6.18 has a known problem with DSACK even when both
>> endpoints are Linux.
>
> My problem is really very specific to connection tracking and so the problem (bug?) is probably in the ip_conntrack_tcp module. TCP communication actually works fine, also connection tracking on (slow, non-bulk data) TCP traffic works. However, it fails with high throughput connections coming from newer Windows (Vista / 7) machines. If I switch those to TCP_NODELAY then it all works again.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: ip_conntrack fails to track Windows Vista TCP connection

[Patrick McHardy]

Fischer, Anna wrote:
>>> You're mentioning ip_conntrack, which is obsoleted for multiple
>>> years now. Which kernel version are you using?
>>>       
>> By definition of ip_conntrack, that must be older than 2.6.20.
>>     
>
> Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is obsolete, can you let me know if you are aware of such a problem ever having caused any issues? I just want to get a feeling if I am at least roughly on the right track while figuring out what the problem is.
>   

We've had a couple of problems related to related to
acknowledgement numbers in TCP conntrack, I'd suggest
you check the nf_conntrack_proto_tcp.c changelogs,
basically everything in there should also apply to
the old version.

RE: ip_conntrack fails to track Windows Vista TCP connection

[Fischer, Anna]

> Subject: Re: ip_conntrack fails to track Windows Vista TCP connection
> 
> Fischer, Anna wrote:
> >>> You're mentioning ip_conntrack, which is obsoleted for multiple
> >>> years now. Which kernel version are you using?
> >>>
> >> By definition of ip_conntrack, that must be older than 2.6.20.
> >>
> >
> > Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is
> obsolete, can you let me know if you are aware of such a problem ever
> having caused any issues? I just want to get a feeling if I am at least
> roughly on the right track while figuring out what the problem is.
> >
> 
> We've had a couple of problems related to related to
> acknowledgement numbers in TCP conntrack, I'd suggest
> you check the nf_conntrack_proto_tcp.c changelogs,
> basically everything in there should also apply to
> the old version.

Thanks for your advice. Why would the problem be in nf_conntrack_proto_tcp and not in ip_conntrack_proto_tcp?

Re: ip_conntrack fails to track Windows Vista TCP connection

[Patrick McHardy]

Fischer, Anna wrote:
>> Subject: Re: ip_conntrack fails to track Windows Vista TCP connection
>>
>> Fischer, Anna wrote:
>>     
>>>>> You're mentioning ip_conntrack, which is obsoleted for multiple
>>>>> years now. Which kernel version are you using?
>>>>>
>>>>>           
>>>> By definition of ip_conntrack, that must be older than 2.6.20.
>>>>
>>>>         
>>> Yes, this is a 2.6.18 Xen kernel that I am using. Even if it is
>>>       
>> obsolete, can you let me know if you are aware of such a problem ever
>> having caused any issues? I just want to get a feeling if I am at least
>> roughly on the right track while figuring out what the problem is.
>>     
>> We've had a couple of problems related to related to
>> acknowledgement numbers in TCP conntrack, I'd suggest
>> you check the nf_conntrack_proto_tcp.c changelogs,
>> basically everything in there should also apply to
>> the old version.
>>     
>
> Thanks for your advice. Why would the problem be in nf_conntrack_proto_tcp and not in ip_conntrack_proto_tcp?
>   

Its not of course, but nf_conntrack_proto_tcp is derived from 
ip_conntrack_proto_tcp,
all the bugfixes also apply to ip_conntrack_proto_tcp.

Re: ip_conntrack fails to track Windows Vista TCP connection

[Patrick McHardy]

Patrick McHardy wrote:
> Fischer, Anna wrote:
>>>
>>>     We've had a couple of problems related to related to
>>> acknowledgement numbers in TCP conntrack, I'd suggest
>>> you check the nf_conntrack_proto_tcp.c changelogs,
>>> basically everything in there should also apply to
>>> the old version.
>>>     
>>
>> Thanks for your advice. Why would the problem be in 
>> nf_conntrack_proto_tcp and not in ip_conntrack_proto_tcp?
>>   
>
> Its not of course, but nf_conntrack_proto_tcp is derived from 
> ip_conntrack_proto_tcp,
> all the bugfixes also apply to ip_conntrack_proto_tcp. 

By which I mean all the bugfixes contained in the current kernel.