Reposted from netfilter: I am not sure if this is nftables related, but I post this issue here, and see if any of you can come up with a clue to what might be going on here. Problem description: When I create multiple tcp connections from the same client to multiple dst hosts at the same time, the n'th syn packet is just discarded by "something" in the kernel. If I reorder the list of dst hosts, a different dst host will hang in SYN_SENT on the client. This setup has been running for about a month, and we have no changed that can explain this behavior. What I am seeing on the firewall running kernel 4.8.1 is the following: * the syn packet enters through the eth1.700 interface (tcdump) * nft trace monitoring shows the packet beeing accepted on eth1.300 in postrouting. * tcpdump on the eth1.300 interface does not show the packet. * rp_filter etc should not be kicking in here, (and also, "random" hosts are dropped) * conntrack table is not full * this issue seem to suddenly appeared, is this a known bug? * hint? All connections from the client is established from the same source port. -- Bj(/)rnar -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
