Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3519656pxb; Mon, 4 Apr 2022 19:41:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzm1KV7Tv88k0DAAHk+nCM7e+JVrOdNTRytsqBpmoMZQnNFJggjol8rvQVPQWAm46lEMmn0 X-Received: by 2002:a17:902:d4cc:b0:156:3f4d:e0a5 with SMTP id o12-20020a170902d4cc00b001563f4de0a5mr1249896plg.91.1649126469389; Mon, 04 Apr 2022 19:41:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649126469; cv=none; d=google.com; s=arc-20160816; b=GZHapvOfQfabYmKNUqL4NQp0xkeyYEIPC9SZFimqc1XYjeC++eosu3lMx3stM7UXS+ W09r18yoai8s9T0hebpAfu2R1/wGLxYenVOJW6uPpTUNXa4E3K2AP8LcUpD//EXTFaj0 XOhYme9sjWJX/XlBM9KFlUbf8hQSQSx4D/A0zvPFSM8/0Fezyl9zEwPrAsnk3Mex0W7s CKerjKqYW3ORaAaSxbBHSSRdtt82hPfQwyU2ymDHepKL7hndIqjMbJzB6d+3DuXk6Ibi vw1xylfpjyETAhHjGJwqIAnrueRecVT5M8olmJDaRird2IJL+1bQK0V+DJE3XnjG3kaL v4+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=I5+kfbZqaslK8/sN6sec2xsR8jaOvugDdGWVch0NWoo=; b=mFKabRXe3iVMfuJywsi8cAFFbCMrFchcSTn8rTw7YChQiYLey5xM29qIb8nCHFTJcm fkGa5gmz+lF5S0t3jxaWmrB/TVnJ5bwEJ3JIn82cgerUK95tfmAj0O7RHuW1+Qn3amzx FbJJwdHVLNr4XbA3b7bON5HK26ypwkEbFVfPXtpUYTggSyVJXgUbeX8mALP8OhbjzzbQ IFmK5iHEbdUEOquj6p/eXNMvmwg/SxeDN+cNr81rdk/tjmGsqutE9EHOJLnDRE/1lqwn HK5SI9XuhWV48yG7N0xXuxNMSikyx+7UVT32Flk2qedPgByojkn4Oz8+d3TAWuP5qC96 VPOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U9eLHOUL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id j12-20020a056a00130c00b004fa87436110si12434693pfu.35.2022.04.04.19.41.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 19:41:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U9eLHOUL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E7B403A4F88; Mon, 4 Apr 2022 18:04:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357544AbiDBP7p (ORCPT + 99 others); Sat, 2 Apr 2022 11:59:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233378AbiDBP7o (ORCPT ); Sat, 2 Apr 2022 11:59:44 -0400 Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A69E6007D for ; Sat, 2 Apr 2022 08:57:53 -0700 (PDT) Received: by mail-qt1-x835.google.com with SMTP id s11so4513865qtc.3 for ; Sat, 02 Apr 2022 08:57:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I5+kfbZqaslK8/sN6sec2xsR8jaOvugDdGWVch0NWoo=; b=U9eLHOULpquZmknHxDfjIDdBHKBZ7TcCdS4EQceWSfv3//aKGCYKcKZLpth7GzNSp5 v2M73PZ3j9Wb2csPbX5k+TxEmWvPw0MbPPJZMaDFUNxtkCY7rEXtAev80uovs7LZfcZn Tfo4P5DqdbiT32xd12LCBdmL81bNdd/t/esS/tH/Wm/y29XDfMLlKAUoqYxWz+8hYMtG LP9OdK6DowesNlM6axaEx9J8ExqWIlhDjsoVW28q9xNWC2VXDyoyWBWVFE6MI/xogSZX Pcg4N6Vu7hAxmQZKLfUwB+xYTj8V29Hs72Jf44xD3DlauJHz6h7/5CaUubYXvxsOANQQ YrEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I5+kfbZqaslK8/sN6sec2xsR8jaOvugDdGWVch0NWoo=; b=LpqXk14mhJ4H5F2v41zMfCAm9OOPi27jDFEBOQl3/UeIkd3SXDljYNlkH7ogDCmX5l MIzBga+y5nBsUt0O3NbLK5b7ttXtI3E6nXZA2txq2oXRxjrYBtlOATe0sML0XurZT9pu EWG3n11GOiyOU48+ybhDInsOIV5xoW2YEBxjyb4cBG4uI9Sk0tDRizZbtl+TpCoq8mQB wZIH3oHQ5PpJ5EK2UNbQCtIyGWBi29LABDtFAc8qZLBdmbUvKKvyxsZomde64fPwHBhS rHk8gEdJmnW65SIY9W3plp99TY4x+k3B4ZhsguXKzkO5DV08dwwEuY9OZnbrTKh1o5i+ FfMQ== X-Gm-Message-State: AOAM530cdVQM30Mno5kNQ8iiUG+z4cP1vF0HkQA4hn40i8MW0LBa6WtR +ulRdgTU52Xuhr/+keaT9qofktjkSLXEpejUU60F/g== X-Received: by 2002:ac8:578a:0:b0:2e1:a0d2:c3a with SMTP id v10-20020ac8578a000000b002e1a0d20c3amr12151172qta.261.1648915072211; Sat, 02 Apr 2022 08:57:52 -0700 (PDT) MIME-Version: 1.0 References: <10c1e561-8f01-784f-c4f4-a7c551de0644@uls.co.za> <5f1bbeb2-efe4-0b10-bc76-37eff30ea905@uls.co.za> <429dd56b-8a6c-518f-ccb4-fa5beae30953@uls.co.za> <20220402141410.GE28321@breakpoint.cc> In-Reply-To: <20220402141410.GE28321@breakpoint.cc> From: Neal Cardwell Date: Sat, 2 Apr 2022 11:57:36 -0400 Message-ID: Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections To: Florian Westphal Cc: Jaco Kroon , Eric Dumazet , LKML , Netdev , Yuchung Cheng , Wei Wang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 2, 2022 at 10:14 AM Florian Westphal wrote: > > Jaco Kroon wrote: > > Including sysctl net.netfilter.nf_conntrack_log_invalid=6- which > > generates lots of logs, something specific I should be looking for? I > > suspect these relate: > > > > [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound > > (over the window of the receiver) IN= OUT=bond0 > > SRC=2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b > > DST=2a00:1450:400c:0c08:0000:0000:0000:001a LEN=2928 TC=0 HOPLIMIT=64 > > FLOWLBL=867133 PROTO=TCP SPT=48920 DPT=25 SEQ=2689938314 ACK=4200412020 > > WINDOW=447 RES=0x00 ACK PSH URGP=0 OPT (0101080A2F36C1C120EDFB91) UID=8 > > GID=12 > > I thought this had "liberal mode" enabled for tcp conntrack? > The above implies its off. Jaco's email said: "Our core firewalls already had nf_conntrack_tcp_be_liberal". But this log is from the client machine itself, not the core firewall machines. AFAICT it seems the client machine does not have "liberal mode" enabled. neal