lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Apr 2022 11:57:36 -0400 From: Neal Cardwell <ncardwell@...gle.com> To: Florian Westphal <fw@...len.de> Cc: Jaco Kroon <jaco@....co.za>, Eric Dumazet <edumazet@...gle.com>, LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Yuchung Cheng <ycheng@...gle.com>, Wei Wang <weiwan@...gle.com> Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections On Sat, Apr 2, 2022 at 10:14 AM Florian Westphal <fw@...len.de> wrote: > > Jaco Kroon <jaco@....co.za> wrote: > > Including sysctl net.netfilter.nf_conntrack_log_invalid=6- which > > generates lots of logs, something specific I should be looking for? I > > suspect these relate: > > > > [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound > > (over the window of the receiver) IN= OUT=bond0 > > SRC=2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b > > DST=2a00:1450:400c:0c08:0000:0000:0000:001a LEN=2928 TC=0 HOPLIMIT=64 > > FLOWLBL=867133 PROTO=TCP SPT=48920 DPT=25 SEQ=2689938314 ACK=4200412020 > > WINDOW=447 RES=0x00 ACK PSH URGP=0 OPT (0101080A2F36C1C120EDFB91) UID=8 > > GID=12 > > I thought this had "liberal mode" enabled for tcp conntrack? > The above implies its off. Jaco's email said: "Our core firewalls already had nf_conntrack_tcp_be_liberal". But this log is from the client machine itself, not the core firewall machines. AFAICT it seems the client machine does not have "liberal mode" enabled. neal
Powered by blists - more mailing lists