Re: window tracking firewall involved, was: Re: preliminary conclusions regarding window size issues

["David S. Miller" <davem@xxxxxxxxxx>]

On Thu, 8 Jul 2004 08:37:00 +0200
bert hubert <ahu@xxxxxxx> wrote:

> On Thu, Jul 08, 2004 at 08:03:26AM +0200, bert hubert wrote:
> 
> [ theory that a window tracking firewall drops packets for which it thinks
>   the intended recipient has no room, as they are larger than the window size
>   it sees, where it neglects to scale that window size ]
> 
> > We could verify this assumption by checking if lowering the MTU to say 700
> > allows wscale=3 to work. 
> 
> This has now been confirmed with the packages.gentoo.org firewall!

It's the netfilter patches added to the gentoo WOLK kernel running
on packages.gentoo.org

Specifically, it's the tcp-window-tracking patch from netfilter's
patch-o-matic.  There's some bug in there wrt. it's window scaling
support.

I bet if the tcp-window-scaling diff is removed from the kernel running
there, the problem will totally go away.

I note that it is using a very old version of the tcp-window-tracking
patch, the current version is 2.2 and probably fixes this bug.  The
gentoo linux-2.4.20-wolk-4.14 kernel is using version 1.7