Thanks Jozsef for looking at this.
On Wed, Jun 15, 2005 at 01:18:38PM +0200, Jozsef Kadlecsik wrote:
> On Tue, 14 Jun 2005, Andy Smith wrote:
>
> > In dom0 I have iptables running, with the eb-nf support of linux
> > 2.6.11 and the physdev module loaded so that I can match traffic
> > coming in to each of my user domains.
> [...]
> > Now, I have noticed that while this works most of the time, for
> > reasons unknown to me, some TCP connections just seem to stop being
> > tracked and hit the DROP rule. Even though they have been tracked
> > fine for several hours. This happens on every user domain to all
> > kinds of TCP connections, but I have pared the ruleset down to just
> > the one domain (strugglers.net) and SSH to demonstrate.
>
> You have two choices: either disable TCP SACK support on all your
> real/virtual machines behind your firewall, or upgrade the kernel on the
> firewall.
Do you have any instructions or a pointer to documentation onhow to
temporarily disable SACK? If it was a /proc setting that would be
ideal; I don't really want to have to recompile kernels though.
> There is a SACK related bug in netfilter connection tracking in
> 2.6.11 (and below). According to the dumped traffic your connections
> suffer from packet losses,
Interesting; this may explain why I only notice this when I'm coming
from 82.44.131.131 - its network is kind of sucky. :)
> SACK kicks in and conntrack screws up tracking
> the given TCP connections. (Sorry, I can't recall at which rc release was
> the fix submitted in.)
How sure are you that this is the problem I am seeing?
Thanks again for your help.
Attachment:
signature.asc
Description: Digital signature
