On 13.04.2021 15:45, Florian Westphal wrote: > Mhh, can you share a patch? Your patch clears it when a SYN is > observed, so I am not sure what you mean. We are also seeing some RST drops during live migration of a NFS server (whose traffic goes through the filter before reaching the NFS clients). Basically the NFS server will send RSTs during live migration, and some of them are dropped, but we still don't understand the root cause in this case. I will send another patch in case it turns out to be an issue in in tcp conntrack. > I think the patch is good; we only need to handle the case where we > let a SYN through, and might be out of state. > > So, we only need to handle the reply dir, no? Yes, for the moment the proposed patch avoids the SYN -> RST -> drop situation, so many thanks for taking it. -- Ali Abdallah | SUSE Linux L3 Engineer GPG fingerprint: 51A0 F4A0 C8CF C98F 842E A9A8 B945 56F8 1C85 D0D5
