On Sun, 27 Jan 2008, Zan Lynx wrote:
Please CC me on any replies as I am not subscribed.
I was downloading a new Google Earth when I noticed a LOT of max-size dropped
packets in my firewall log. I only allow RELATED,ESTABLISHED sessions into
my firewall.
tcpdump showed that every time Google sent a packet to satisfy the missing
data identified by SACK, that packet was rejected. So it must have been
missing the ESTABLISHED rule.
I fixed the problem by adding an ALLOW source port 80 rule for the Google
download site IP.
This makes me wonder how often this has happened and I haven't noticed it.
Is this a known bug or something new?
Which kernel version?
Most likely there is a broken box along the path that mangles seq numbers
but forgets about sacks. Could you please provide a dump:
"tcpdump -v -S host (...)"?
As a short-term workaround you may disable net.ipv4.tcp_sack or use
TCPOPTSTRIP to strip SackOK advertisement to the host.
Best regards,
Krzysztof Oledzki
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html