Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1066673pxb; Fri, 1 Apr 2022 03:48:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRntCIOQGV57+dg3L4GTEA8R+JIV4Ax1lZ7w1MW+WHPKTr61zrWDzKA55XigTUOzgGFEsr X-Received: by 2002:a63:b910:0:b0:398:31d6:db12 with SMTP id z16-20020a63b910000000b0039831d6db12mr15151943pge.452.1648810107345; Fri, 01 Apr 2022 03:48:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648810107; cv=none; d=google.com; s=arc-20160816; b=vJeTldKf316NC8FLs/fyfyfPps4SLRX6nJlzIVFrXqGwYQnXom4kF842iEcUlCzMff F6XuY9xUxXJAMwwVKWRfyEOBc83VtMz/YtCOg4/eTpPzokzCNhzXiY92Bx3bj//XhtBD zsRDRh2wgJjYqnHjww0lv15bavLFCVjnpltH2CuPl2UJ7Q+LXZh/NRpw2D0Q4m/RSn6z 0B40eX8685bd2oXqvtXMXNXdgqh8kROM7PSmHBkBqk6OcJH1tD92cG999FO8KdAkkbYq n2gkljknI9ioYUkR6PxY0LySJopr3lc4wzv24FAH5lpXcdpAofGNHZYaxHcrgltcYgak ww6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id; bh=DGD4N1NFz3szj6kWz0yJZAPEVr3elC6tFKzaeYJ+3FQ=; b=yknDg34IE45iFFP+7955Wd3XOm3sPw5n9zMWYh2Cb3tomXLO+8VEVqea0Hud4sJPc6 ukrWLCPjXLSpveZIhYTcrlgIbo7ZQdyECRgfUL+174LGDfNjR8/GSMJuoDMn6FCICP5t QrR7NJ6NBstKxLQGBG0wpa/a++iITWQxHNIAR1O4kfDWGKACYsLncd5Hv7pC3tvdGawk 4JASdWWZ166yUXK83A5o0RSnbpsWLdQ9LoNm2HUi46SoLmbx2UKWW6XiqH14vLpY4hal eOR7UWG3LkA5Lf2xvdYcAI1ar+UsMVf1StWovndnHRt0e78nH0Vf1l4qBK8wCTi6M8Xo TPjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uls.co.za Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m29-20020a638c1d000000b003816043f14esi2011241pgd.835.2022.04.01.03.48.12; Fri, 01 Apr 2022 03:48:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uls.co.za Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243541AbiDAAf2 (ORCPT + 99 others); Thu, 31 Mar 2022 20:35:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231414AbiDAAf1 (ORCPT ); Thu, 31 Mar 2022 20:35:27 -0400 Received: from uriel.iewc.co.za (uriel.iewc.co.za [IPv6:2c0f:f720:0:3:d6ae:52ff:feb8:f27b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20F7C44A2F; Thu, 31 Mar 2022 17:33:34 -0700 (PDT) Received: from [2c0f:f720:fe16:c400::1] (helo=tauri.local.uls.co.za) by uriel.iewc.co.za with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1na5EJ-0004XG-81; Fri, 01 Apr 2022 02:33:31 +0200 Received: from [192.168.42.210] by tauri.local.uls.co.za with esmtp (Exim 4.94.2) (envelope-from ) id 1na5ED-0002Pg-UO; Fri, 01 Apr 2022 02:33:26 +0200 Message-ID: <4b4ff443-f8a9-26a8-8342-ae78b999335b@uls.co.za> Date: Fri, 1 Apr 2022 02:33:25 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections Content-Language: en-GB To: Eric Dumazet Cc: Neal Cardwell , LKML , Netdev , Yuchung Cheng References: <10c1e561-8f01-784f-c4f4-a7c551de0644@uls.co.za> <5f1bbeb2-efe4-0b10-bc76-37eff30ea905@uls.co.za> From: Jaco Kroon Organization: Ultimate Linux Solutions (Pty) Ltd In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 2022/04/01 02:10, Eric Dumazet wrote: > On Thu, Mar 31, 2022 at 4:06 PM Jaco Kroon wrote: >> Hi Neal, >> >> This sniff was grabbed ON THE CLIENT HOST. There is no middlebox or >> anything between the sniffer and the client. Only the firewall on the >> host itself, where we've already establish the traffic is NOT DISCARDED >> (at least not in filter/INPUT). >> >> Setup on our end: >> >> 2 x routers, usually each with a direct peering with Google (which is >> being ignored at the moment so instead traffic is incoming via IPT over DD). >> >> Connected via switch to >> >> 2 x firewalls, of which ONE is active (they have different networks >> behind them, and could be active / standby for different networks behind >> them - avoiding active-active because conntrackd is causing more trouble >> than it's worth), Linux hosts, using netfilter, has been operating for >> years, no recent kernel upgrades. > Next step would be to attempt removing _all_ firewalls, especially not > common setups like yours. That I'm afraid is not going to happen here.  I can't imagine what we're doing is that uncommon.  On the host basically for INPUT drop invalid, ACCEPT related established, accept specific ports, drop everything else.  Other than the redirects in NAT there really isn't anything "funny". > > conntrack had a bug preventing TFO deployment for a while, because > many boxes kept buggy kernel versions for years. We don't use conntrackd, we tried many years back, but eventually we just ended up using ucarp with /32s on the interfaces and whatever subnet is required for the floating IP itself, combined with OSPF to sort out the routing, that way we get to avoid asymmetric routing and the need for conntrackd.  The core firewalls basically on FORWARD does some directing based on ingress and/or egress interface to determine ruleset to apply, again INVALID and RELATED,ESTABLISHED rules at the head. > > 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix > tcp_in_window for Fast Open This is from Aug 9, 2013 ... our firewall's kernel isn't that old :).  Again, the traffic was sniffed on the client side of that firewall, and the only firewall between the sniffer and the processing part of the kernel is the local netfilter. I'll deploy same on a dev host we've got in the coming week and start a bisect process. Kind Regards, Jaco