You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems the nf_conntrack_tcp_timeout_max_retrans delay is getting applied to all established sessions with with 613-netfilter_optional_tcp_window_check.patch and default value.
This patch to the patch resolves the issue. It adds another check for the sysctl value in tcp_packet()
git diff master ./target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
diff --git a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
index aa53309394..d5f3fb6574 100644
--- a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
+++ b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
@@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/* "Be conservative in what you do,
be liberal in what you accept from others."
If it's non-zero, we mark only out of window RST segments as INVALID. */
-@@ -483,6 +486,9 @@ static bool tcp_in_window(const struct n
+@@ -483,6 +486,9 @@
s32 receiver_offset;
bool res, in_recv_win;
@@ -28,7 +28,16 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/*
* Get the required data from the packet.
*/
-@@ -1506,6 +1512,13 @@ static struct ctl_table tcp_sysctl_table
+@@ -1057,7 +1063,7 @@
nyt:
It seems the nf_conntrack_tcp_timeout_max_retrans delay is getting applied to all established sessions with with 613-netfilter_optional_tcp_window_check.patch and default value.
After setting net.netfilter.nf_conntrack_tcp_no_window_check to 0, it seems to have corrected the issue. This patch causes tcp_in_window to return prematurely before setting last_win value which is checked later in tcp_packet here: https://github.com/torvalds/linux/blob/v4.19/net/netfilter/nf_conntrack_proto_tcp.c#L1030
While it was still set to 1, you could see conntrack not functioning properly.
root@rooter:/etc/config# sysctl -a 2>/dev/null| grep conntrack | egrep 'estab|retrans'
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_established = 604800
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 36000
HTTP request made with SYN, SYN/ACK, and ACK. Connection is in conntrack table as established. Timer is using the wrong value
17:17:21.887867 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [S], seq 1559214505, win 29200, options [mss 1460,sackOK,TS val 315159335 ecr 0,nop,wscale 9], length 0
17:17:21.900018 IP 172.16.50.2.80 > 172.16.1.2.53996: Flags [S.], seq 411032185, ack 1559214506, win 28960, options [mss 1350,sackOK,TS val 2015126356 ecr 315159335,nop,wscale 9], length 0
17:17:21.900107 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [.], ack 1, win 58, options [nop,nop,TS val 315159347 ecr 2015126356], length 0
ipv4 2 tcp 6 35999 ESTABLISHED src=172.16.1.2 dst=172.16.50.2 sport=53996 dport=80 packets=2 bytes=112 src=209.51.175.21 dst=172.16.1.2 sport=80 dport=53996 packets=1 bytes=60 [ASSURED] mark=0 zone=0 use=2
Data exchanged
17:17:24.026336 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [P.], seq 1:17, ack 1, win 58, options [nop,nop,TS val 315161474 ecr 2015126356], length 16: HTTP: GET / HTTP/1.1
17:17:24.037214 IP 172.16.50.2.80 > 172.16.1.2.53996: Flags [.], ack 17, win 57, options [nop,nop,TS val 2015128493 ecr 315161474], length 0
Timer still set to the wrong value.
ipv4 2 tcp 6 35999 ESTABLISHED src=172.16.1.2 dst=172.16.50.2 sport=53996 dport=80 packets=3 bytes=180 src=172.16.50.2 dst=172.16.1.2 sport=80 dport=53996 packets=2 bytes=112 [ASSURED] mark=0 zone=0 use=2
This patch to the patch resolves the issue. It adds another check for the sysctl value in tcp_packet()
git diff master ./target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
diff --git a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
index aa53309394..d5f3fb6574 100644
--- a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
+++ b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
@@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/* "Be conservative in what you do,
be liberal in what you accept from others."
If it's non-zero, we mark only out of window RST segments as INVALID. */
-@@ -483,6 +486,9 @@ static bool tcp_in_window(const struct n
+@@ -483,6 +486,9 @@
s32 receiver_offset;
bool res, in_recv_win;
@@ -28,7 +28,16 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/*
* Get the required data from the packet.
*/
-@@ -1506,6 +1512,13 @@ static struct ctl_table tcp_sysctl_table
+@@ -1057,7 +1063,7 @@
+- else if (ct->proto.tcp.last_win == 0 &&
++ else if (nf_ct_tcp_no_window_check == 0 && ct->proto.tcp.last_win == 0 &&
+@@ -1506,6 +1512,13 @@
.mode = 0644,
.proc_handler = proc_dointvec,
},
The text was updated successfully, but these errors were encountered: