| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADVnQymVpNP+=K=fYV2yub0DfVRHJ0tQskS7fY8KUun8HZiHAA@mail.gmail.com>
Date: Sat, 2 Apr 2022 11:57:36 -0400
From: Neal Cardwell <ncardwell@...gle.com>
To: Florian Westphal <fw@...len.de>
Cc: Jaco Kroon <jaco@....co.za>, Eric Dumazet <edumazet@...gle.com>,
LKML <linux-kernel@...r.kernel.org>,
Netdev <netdev@...r.kernel.org>,
Yuchung Cheng <ycheng@...gle.com>, Wei Wang <weiwan@...gle.com>
Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections
On Sat, Apr 2, 2022 at 10:14 AM Florian Westphal <fw@...len.de> wrote:
>
> Jaco Kroon <jaco@....co.za> wrote:
> > Including sysctl net.netfilter.nf_conntrack_log_invalid=6- which
> > generates lots of logs, something specific I should be looking for? I
> > suspect these relate:
> >
> > [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound
> > (over the window of the receiver) IN= OUT=bond0
> > SRC=2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b
> > DST=2a00:1450:400c:0c08:0000:0000:0000:001a LEN=2928 TC=0 HOPLIMIT=64
> > FLOWLBL=867133 PROTO=TCP SPT=48920 DPT=25 SEQ=2689938314 ACK=4200412020
> > WINDOW=447 RES=0x00 ACK PSH URGP=0 OPT (0101080A2F36C1C120EDFB91) UID=8
> > GID=12
>
> I thought this had "liberal mode" enabled for tcp conntrack?
> The above implies its off.
Jaco's email said: "Our core firewalls already had
nf_conntrack_tcp_be_liberal". But this log is from the client machine
itself, not the core firewall machines. AFAICT it seems the client
machine does not have "liberal mode" enabled.
neal
Powered by blists - more mailing lists