On Mon 2019-07-08 17:51:21 +0200, Florian Westphal wrote: > Anton Danilov <littlesmilingcloud@xxxxxxxxx> wrote: > > To avoid this issue you can tune the conntrack behaviour with sysctl: > > sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=1 > > sysctl -w net.netfilter.nf_conntrack_tcp_loose=1 > > Yes, a better alternative in this case though would be to > NOTRACK packets from/to lo interface. > > Its kind of silly that conntrack tracks them be default IMO. Yeah, these options seem to fix it as well. It is weird that only some of the half open connections seem to need it though, while others I see a RST and they work either way. Another thing I'm wondering is whether this rule could be impacting connections beyond lo, but I just don't know about it.
