On Tue, Jul 29, 2008 at 08:13:05AM +0200, Patrick McHardy wrote: > > Thanks for this explanation. Unless Jozsef sees something wrong with this > patch, I'll queue it with a proper changelog. Its small enough, so perhaps > we can even put this in 2.6.27. It killed 95% of the ghosts (if you can do such a thing :) I've tried to determine the cause of the remaining spirits: 1) Zero-window receivers. This is like not acking without actually doing it. So we should treat zero windows in the same way as an unacknowledged packet (with each probe/zero-window extending its life time). 2) We've got a single state for each connection. This doesn't work because each TCP connection really consists of two disparate streams. Their states need to be tracked separately. Otherwise we can for example enter TIME_WAIT when only one direction has been shut down. This then causes the tracked connection to be pruned quickly, after which the other direction may reinstall it in the ESTABLISHED state with a pure ack and it could remain forever should that direction then die. Thanks, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
