On Tue, 14 Jun 2005, Andy Smith wrote: > In dom0 I have iptables running, with the eb-nf support of linux > 2.6.11 and the physdev module loaded so that I can match traffic > coming in to each of my user domains. [...] > Now, I have noticed that while this works most of the time, for > reasons unknown to me, some TCP connections just seem to stop being > tracked and hit the DROP rule. Even though they have been tracked > fine for several hours. This happens on every user domain to all > kinds of TCP connections, but I have pared the ruleset down to just > the one domain (strugglers.net) and SSH to demonstrate. You have two choices: either disable TCP SACK support on all your real/virtual machines behind your firewall, or upgrade the kernel on the firewall. There is a SACK related bug in netfilter connection tracking in 2.6.11 (and below). According to the dumped traffic your connections suffer from packet losses, SACK kicks in and conntrack screws up tracking the given TCP connections. (Sorry, I can't recall at which rc release was the fix submitted in.) Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
