Bjørnar Ness <bjornar.ness@xxxxxxxxx> wrote: > I am not sure if this is nftables related, but I post this issue here, > and see if any of you can come up with a clue to what might be > going on here. > > Problem description: > > When I create multiple tcp connections from the same client to > multiple dst hosts at the same time, the n'th syn packet is just > discarded by "something" in the kernel. > > If I reorder the list of dst hosts, a different dst host will hang in SYN_SENT > on the client. This setup has been running for about a month, and we have > no changed that can explain this behavior. > > What I am seeing on the firewall running kernel 4.8.1 is the following: > > * the syn packet enters through the eth1.700 interface (tcdump) > * nft trace monitoring shows the packet beeing accepted on eth1.300 in > postrouting. > * tcpdump on the eth1.300 interface does not show the packet. > * rp_filter etc should not be kicking in here, (and also, "random" > hosts are dropped) > * conntrack table is not full > * this issue seem to suddenly appeared, is this a known bug? No. > * hint? All connections from the client is established from the same > source port. can you show conntrack -S output? Is nat in use? Does 'perf script net_dropmonitor' show anything? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
