Received: with ECARTIS (v1.0.0; list netdev); Thu, 08 Jul 2004 08:37:51 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by oss.sgi.com (8.12.10/8.12.9) with SMTP id i68Fbigi031832 for ; Thu, 8 Jul 2004 08:37:45 -0700 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i68FbLe1008565; Thu, 8 Jul 2004 11:37:21 -0400 Received: from devserv.devel.redhat.com (devserv.devel.redhat.com [172.16.58.1]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i68FbL026937; Thu, 8 Jul 2004 11:37:21 -0400 Received: from cheetah.davemloft.net (localhost.localdomain [127.0.0.1]) by devserv.devel.redhat.com (8.12.11/8.12.10) with SMTP id i68FaodJ030203; Thu, 8 Jul 2004 11:36:51 -0400 Date: Thu, 8 Jul 2004 08:37:08 -0700 From: "David S. Miller" To: bert hubert Cc: jamie@shareable.org, shemminger@osdl.org, netdev@oss.sgi.com, linux-net@vger.kernel.org, linux-kernel@vger.kernel.org, ALESSANDRO.SUARDI@ORACLE.COM Subject: Re: window tracking firewall involved, was: Re: preliminary conclusions regarding window size issues Message-Id: <20040708083708.5f63bc71.davem@redhat.com> In-Reply-To: <20040708063700.GA23496@outpost.ds9a.nl> References: <20040707232757.GA14471@outpost.ds9a.nl> <20040708014443.GE17266@mail.shareable.org> <20040708060326.GA22258@outpost.ds9a.nl> <20040708063700.GA23496@outpost.ds9a.nl> X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; sparc-unknown-linux-gnu) X-Face: "_;p5u5aPsO,_Vsx"^v-pEq09'CU4&Dc1$fQExov$62l60cgCc%FnIwD=.UF^a>?5'9Kn[;433QFVV9M..2eN.@4ZWPGbdi<=?[:T>y?SD(R*-3It"Vj:)"dP Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-archive-position: 6807 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: davem@redhat.com Precedence: bulk X-list: netdev Content-Length: 1079 Lines: 27 On Thu, 8 Jul 2004 08:37:00 +0200 bert hubert wrote: > On Thu, Jul 08, 2004 at 08:03:26AM +0200, bert hubert wrote: > > [ theory that a window tracking firewall drops packets for which it thinks > the intended recipient has no room, as they are larger than the window size > it sees, where it neglects to scale that window size ] > > > We could verify this assumption by checking if lowering the MTU to say 700 > > allows wscale=3 to work. > > This has now been confirmed with the packages.gentoo.org firewall! It's the netfilter patches added to the gentoo WOLK kernel running on packages.gentoo.org Specifically, it's the tcp-window-tracking patch from netfilter's patch-o-matic. There's some bug in there wrt. it's window scaling support. I bet if the tcp-window-scaling diff is removed from the kernel running there, the problem will totally go away. I note that it is using a very old version of the tcp-window-tracking patch, the current version is 2.2 and probably fixes this bug. The gentoo linux-2.4.20-wolk-4.14 kernel is using version 1.7