lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Apr 2022 23:51:35 +0200 From: Jaco Kroon <jaco@....co.za> To: Florian Westphal <fw@...len.de> Cc: Neal Cardwell <ncardwell@...gle.com>, Eric Dumazet <edumazet@...gle.com>, LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Yuchung Cheng <ycheng@...gle.com>, Wei Wang <weiwan@...gle.com> Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections Hi Florian, On 2022/04/02 16:14, Florian Westphal wrote: > Jaco Kroon <jaco@....co.za> wrote: >> Including sysctl net.netfilter.nf_conntrack_log_invalid=6- which >> generates lots of logs, something specific I should be looking for? I >> suspect these relate: >> >> [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound >> (over the window of the receiver) IN= OUT=bond0 >> SRC=2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b >> DST=2a00:1450:400c:0c08:0000:0000:0000:001a LEN=2928 TC=0 HOPLIMIT=64 >> FLOWLBL=867133 PROTO=TCP SPT=48920 DPT=25 SEQ=2689938314 ACK=4200412020 >> WINDOW=447 RES=0x00 ACK PSH URGP=0 OPT (0101080A2F36C1C120EDFB91) UID=8 >> GID=12 > I thought this had "liberal mode" enabled for tcp conntrack? > The above implies its off. We have liberal on the core firewalls, not on the endpoints ... yes, we do double firewall :). So the firewalls into the subnets has liberal mode (which really was an oversight when axing conntrackd), but the servers themselves do not. Kind Regards, Jaco
Powered by blists - more mailing lists