Yes! I believe a piece of code that is machine dependent stole the packet and thereby got things messed up in conntrack. A rebuild seems to have taken care of the issue. Thanks for taking a look at this. The kernel version is 2.6.35. Again, thanks! On Thu, Oct 23, 2014 at 3:04 AM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Wed, 22 Oct 2014, vDev wrote: > >> Thanks, Jozsef. Attached is the new packet capture and trace with patch >> applied. > > Thanks, now packets and conntrack states can be compared. > > Up to packet 6 everything is normal. However, look at packet 7: > > 16:20:21.653783 IP (tos 0x0, ttl 52, id 24152, offset 0, flags [DF], > proto TCP (6), length 40) > Remote_Server.63001 > Linux_Router.1039: Flags [F.], cksum 0x567b > (correct), seq 3661860393, ack 2561327135, win 14600, length 0 > > This is the first FIN packet, and the kernel debug log says: > > [ 376.950000] tcp_packet: > [ 376.950000] dir=1, seq=3661860393 ack=2561327135 win=14600 end=3661860394 > [ 376.950000] tcp_conntracks: > [ 376.950000] syn=0 ack=1 fin=1 rst=0 old=3 new=4 > > The previous conntrack state is in "old=3", i.e. > TCP_CONNTRACK_ESTABLISHED. The new=4 means TCP_CONNTRACK_FIN_WAIT. However > between > > [ 376.950000] tcp_packet: > [ 376.950000] dir=1, seq=3661860393 ack=2561327135 win=14600 end=3661860394 > > and > > [ 376.950000] tcp_conntracks: > [ 376.950000] syn=0 ack=1 fin=1 rst=0 old=3 new=4 > > there is a missing the call to tcp_in_window()! Therefore the internal > counters of conntrack is not updated and later packets won't match the > wrong internal states. > > Why the call to tcp_in_window() is missing? Looking at tcp_packet(), > there's nothing which could cause skipping it: the big switch about the > new_state does not divert the handling of TCP_CONNTRACK_FIN_WAIT. > > So, what's your kernel version number? You have got the source: > please post net/netfilter/nf_conntrack_proto_tcp.c > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
