On Wed, Aug 22, 2018 at 05:05:14PM -0700, Doug Smythies wrote:
> On 2018.08.22 11:26 Doug Smythies wrote:
> > On 2018.08.21 02:26 Florian Westphal wrote:
> >
> > ... [snip] ...
> >
> >> Fix this by clearing maxwin of existing tcp connections on register.
> >> While at it, lower timeout of existing entries when disabling to allow
> >> gc to reap entries more quickly.
> >>
> >> Reported-by: Doug Smythies <dsmythies@xxxxxxxxx>
> >> Fixes: 4d3a57f23dec59 ("netfilter: conntrack: do not enable connection tracking unless needed")
> >> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> >> ---
> >> net/netfilter/nf_conntrack_proto.c | 61 ++++++++++++++++++++++++++++++++++++--
> >> 1 file changed, 59 insertions(+), 2 deletions(-)
> >
> > ... [snip] ...
> >
> > I was not able to apply this patch on top of kernel 4.18, as it
> > seems to be on top of other patches since then.
> >
> > I was able to apply it on top of the mainline kernel as of sometime
> > yesterday (head was at ad1d697)(somewhere between 4.18 and 4.19-rc1).
> >
> > I verified that as of ad1d697 the issue was still present and then
> > tested ad1d697 + this patch and the issue is fixed.
> >
>
> I spoke too soon. Now I have issues with any other SSH sessions
> dropping out if I don't use them within one minute of an iptables rule
> set flush and re-load.
>
> The previous suggested change:
>
> echo 1 | sudo tee /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
>
> does not fix it.
Could you try conntrack -F after removing your ruleset?
Thanks.
