Re: Dropped packets logged which should be accepted by Conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


The logs are consistent with the problem of manipulating the MSS and the PMTU.

The packets are the out-of-band transmission of segments of data that
can not fit in a single tcp packet.

The TCP_NODELAY option is available beginning the Linux kernel 2.5.71.
That option forces the transmition of packet with small amount of
data.

Jorge Dávila.

El día 16 de noviembre de 2011 06:07, John A. Sullivan III
<jsullivan@xxxxxxxxxxxxxxxxxxx> escribió:
> On Tue, 2011-11-15 at 10:20 -0600, Jorge Dávila wrote:
>> John,
>>
>> The particular thing I see in the logs is they shows the flag DF
>> (Don't Fragment).
>>
>> My first guess is the TCPMSS rule is the responsible for generating the logs.
>>
>> Maybe adjusting the mtu for the interfaces will solve the problem.
>>
>> Jorge.
> <snip>
> Thanks, Jorge.  However, the packets are quite small and should not be
> having a problem with DF.  I thought, perhaps, they were RSTs and maybe
> those were not considered RELATED but that is not always the case:
>
> No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34 DST=187.15.198.127 LEN=117
> TOS=0x00 PREC=0x00 TTL=63 ID=20811 DF PROTO=TCP SPT=25 DPT=2307
> WINDOW=5840 RES=0x00 ACK PSH URGP=0
>
> No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34 DST=180.252.147.149 LEN=55
> TOS=0x00 PREC=0x00 TTL=63 ID=60912 DF PROTO=TCP SPT=25 DPT=19445
> WINDOW=5840 RES=0x00 ACK PSH URGP=0
>
> Here are two examples of packets being logged from our public SMTP
> gateway with tiny packet sizes and no unusual flags.
>
> Any other ideas, anyone, of why we would be seeing these logs when we
> would suspect these packets should be ACCEPTed at the very beginning of
> the FORWARD chain with a -m state --state RELATED,ESTABLISHED -j ACCEPT
> rule? Thanks - John
>
>



-- 
Jorge Isaac Dávila López
+505 8430 5462
jorgedavilalopez@xxxxxxxxx
---
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux