FS#2253 - 4.19 Netfilter/Conntrack issues with 613-netfilter_optional_tcp_window_check.patch #7142
Labels
Comments
|
nbd: Fixed in r9909-9af2735734, sorry for the delay |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nyt:
It seems the nf_conntrack_tcp_timeout_max_retrans delay is getting applied to all established sessions with with 613-netfilter_optional_tcp_window_check.patch and default value.
After setting net.netfilter.nf_conntrack_tcp_no_window_check to 0, it seems to have corrected the issue. This patch causes tcp_in_window to return prematurely before setting last_win value which is checked later in tcp_packet here: https://github.com/torvalds/linux/blob/v4.19/net/netfilter/nf_conntrack_proto_tcp.c#L1030
While it was still set to 1, you could see conntrack not functioning properly.
root@rooter:/etc/config# sysctl -a 2>/dev/null| grep conntrack | egrep 'estab|retrans'
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_established = 604800
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 36000
HTTP request made with SYN, SYN/ACK, and ACK. Connection is in conntrack table as established. Timer is using the wrong value
17:17:21.887867 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [S], seq 1559214505, win 29200, options [mss 1460,sackOK,TS val 315159335 ecr 0,nop,wscale 9], length 0
17:17:21.900018 IP 172.16.50.2.80 > 172.16.1.2.53996: Flags [S.], seq 411032185, ack 1559214506, win 28960, options [mss 1350,sackOK,TS val 2015126356 ecr 315159335,nop,wscale 9], length 0
17:17:21.900107 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [.], ack 1, win 58, options [nop,nop,TS val 315159347 ecr 2015126356], length 0
ipv4 2 tcp 6 35999 ESTABLISHED src=172.16.1.2 dst=172.16.50.2 sport=53996 dport=80 packets=2 bytes=112 src=209.51.175.21 dst=172.16.1.2 sport=80 dport=53996 packets=1 bytes=60 [ASSURED] mark=0 zone=0 use=2
Data exchanged
17:17:24.026336 IP 172.16.1.2.53996 > 172.16.50.2.80: Flags [P.], seq 1:17, ack 1, win 58, options [nop,nop,TS val 315161474 ecr 2015126356], length 16: HTTP: GET / HTTP/1.1
17:17:24.037214 IP 172.16.50.2.80 > 172.16.1.2.53996: Flags [.], ack 17, win 57, options [nop,nop,TS val 2015128493 ecr 315161474], length 0
Timer still set to the wrong value.
ipv4 2 tcp 6 35999 ESTABLISHED src=172.16.1.2 dst=172.16.50.2 sport=53996 dport=80 packets=3 bytes=180 src=172.16.50.2 dst=172.16.1.2 sport=80 dport=53996 packets=2 bytes=112 [ASSURED] mark=0 zone=0 use=2
This patch to the patch resolves the issue. It adds another check for the sysctl value in tcp_packet()
git diff master ./target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patchdiff --git a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
index aa53309394..d5f3fb6574 100644
--- a/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
+++ b/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_window_check.patch
@@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/* "Be conservative in what you do,
be liberal in what you accept from others."
If it's non-zero, we mark only out of window RST segments as INVALID. */
-@@ -483,6 +486,9 @@ static bool tcp_in_window(const struct n
+@@ -483,6 +486,9 @@
s32 receiver_offset;
bool res, in_recv_win;
@@ -28,7 +28,16 @@ Signed-off-by: Felix Fietkau nbd@nbd.name
/*
* Get the required data from the packet.
*/
-@@ -1506,6 +1512,13 @@ static struct ctl_table tcp_sysctl_table
+@@ -1057,7 +1063,7 @@
+- else if (ct->proto.tcp.last_win == 0 &&
++ else if (nf_ct_tcp_no_window_check == 0 && ct->proto.tcp.last_win == 0 &&
+@@ -1506,6 +1512,13 @@
.mode = 0644,
.proc_handler = proc_dointvec,
},
The text was updated successfully, but these errors were encountered: