lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180416110158.2cwr3pi3anpkzrw3@breakpoint.cc>
Date:   Mon, 16 Apr 2018 13:01:58 +0200
From:   Florian Westphal <fw@...len.de>
To:     Dominique Martinet <asmadeus@...ewreck.org>
Cc:     Eric Dumazet <eric.dumazet@...il.com>,
        Michal Kubecek <mkubecek@...e.cz>, netdev@...r.kernel.org
Subject: Re: tcp hang when socket fills up ?

Dominique Martinet <asmadeus@...ewreck.org> wrote:
> Eric Dumazet wrote on Sun, Apr 15, 2018:
> > Are you sure you do not have some iptables/netfilter stuff ?
> 
> I have a basic firewall setup with default rules e.g. starts with
> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> in the INPUT chain...
> That said, I just dropped it on the server to check and that seems to
> workaround the issue?!
> When logging everything dropped it appears to decide that the connection
> is no longer established at some point, but only if there is
> tcp_timestamp, just, err, how?
> 
> And certainly enough, if I restore the firewall while a connection is up
> that just hangs; conntrack doesn't consider it connected anymore at some
> point (but it worked for a while!)
> 
> Here's the kind of logs I get from iptables:
> IN=wlp1s0 OUT= MAC=00:c2:c6:b4:7e:c7:a4:12:42:b5:5d:fc:08:00 SRC=client DST=server LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=17038 DF PROTO=TCP SPT=41558 DPT=15609 WINDOW=1212 RES=0x00 ACK URGP=0 

You could do
echo 6 > /proc/sys/net/netfilter/nf_conntrack_log_invalid

to have conntrack log when/why it thinks packet is invalid.

You can also set
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

which stops conntrack from marking packets with out-of-window
acks as invalid.

(Earlier email implies this is related to timestamps, but unfortunately
 to best of my knowledge conntrack doesn't look at tcp timestamps).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ