On Mon, 11 Feb 2008, Philip Craig wrote: > John Zornig wrote: > > echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal > > This is just a workaround for a bug. > > Are you using a recent kernel? > > It would be good to work with Jozsef to get this fixed if you are able > to help debug it. Also report it on the netfilter-devel list. > > To debug, I think the first steps are to enable logging with: > > modprobe ipt_LOG > echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid > > and check your syslog for errors. > > Also get a tcpdump of the ssh traffic with something like: > > tcpdump -i eth0 -s 0 -w dump.pcap tcp port 22 Exactly. By enabling ip_conntrack_tcp_be_liberal you just mask the problem. And without dumped traffic to analyze I cannot do anything to improve the kernel. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
