On Fri, 23 Oct 2009, Carl Michal wrote: > so logging the invalid packets (strangely setting > ip_conntrack_log_invalid to 1 didn't actually produce the logs, I had to > bypass the check for LOG_INVALID in nf_conntrack_proto_tcp.c and > recompile...) gives: > > Oct 23 23:35:00 spider nf_ct_tcp: ACK is over the upper bound (ACKed data not > seen yet) IN= OUT= SRC=142.103.236.11 DST=142.103.235.177 LEN=52 TOS=0x00 > PREC=0x00 TTL=64 ID=10722 DF PROTO=TCP SPT=44574 DPT=22 SEQ=3218503158 > ACK=2892721343 WINDOW=24840 RES=0x00 ACK URGP=0 OPT (0101050ACCFD9D1FCCFDA283) The TCP options are: No-Operation No-Operation SACK option(10): 3439172895:3439174275(1380) So it looks like SACK issue - you can verify it by disabling SACK support (/proc/sys/net/ipv4/tcp_sack, preferably at both sides) and running your original rule sets. Does the ssh connection still hang? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
