| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+KsjGUppc3D8KLa4XUd-dzS3A+yDxbv2bRkDEkziS1qw@mail.gmail.com>
Date: Thu, 31 Mar 2022 17:10:13 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Jaco Kroon <jaco@....co.za>
Cc: Neal Cardwell <ncardwell@...gle.com>,
LKML <linux-kernel@...r.kernel.org>,
Netdev <netdev@...r.kernel.org>,
Yuchung Cheng <ycheng@...gle.com>
Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections
On Thu, Mar 31, 2022 at 4:06 PM Jaco Kroon <jaco@....co.za> wrote:
>
> Hi Neal,
>
> This sniff was grabbed ON THE CLIENT HOST. There is no middlebox or
> anything between the sniffer and the client. Only the firewall on the
> host itself, where we've already establish the traffic is NOT DISCARDED
> (at least not in filter/INPUT).
>
> Setup on our end:
>
> 2 x routers, usually each with a direct peering with Google (which is
> being ignored at the moment so instead traffic is incoming via IPT over DD).
>
> Connected via switch to
>
> 2 x firewalls, of which ONE is active (they have different networks
> behind them, and could be active / standby for different networks behind
> them - avoiding active-active because conntrackd is causing more trouble
> than it's worth), Linux hosts, using netfilter, has been operating for
> years, no recent kernel upgrades.
Next step would be to attempt removing _all_ firewalls, especially not
common setups like yours.
conntrack had a bug preventing TFO deployment for a while, because
many boxes kept buggy kernel versions for years.
356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix
tcp_in_window for Fast Open
Powered by blists - more mailing lists