Dominique Martinet <asmad...@codewreck.org> wrote: > Eric Dumazet wrote on Sun, Apr 15, 2018: > > Are you sure you do not have some iptables/netfilter stuff ? > > I have a basic firewall setup with default rules e.g. starts with > -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > in the INPUT chain... > That said, I just dropped it on the server to check and that seems to > workaround the issue?! > When logging everything dropped it appears to decide that the connection > is no longer established at some point, but only if there is > tcp_timestamp, just, err, how? > > And certainly enough, if I restore the firewall while a connection is up > that just hangs; conntrack doesn't consider it connected anymore at some > point (but it worked for a while!) > > Here's the kind of logs I get from iptables: > IN=wlp1s0 OUT= MAC=00:c2:c6:b4:7e:c7:a4:12:42:b5:5d:fc:08:00 SRC=client > DST=server LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=17038 DF PROTO=TCP SPT=41558 > DPT=15609 WINDOW=1212 RES=0x00 ACK URGP=0
You could do echo 6 > /proc/sys/net/netfilter/nf_conntrack_log_invalid to have conntrack log when/why it thinks packet is invalid. You can also set echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal which stops conntrack from marking packets with out-of-window acks as invalid. (Earlier email implies this is related to timestamps, but unfortunately to best of my knowledge conntrack doesn't look at tcp timestamps).
