Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 309218 Details for
Bug 448328
ssh connection hangs when running command producing large text output after running "service iptables restart"
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
proposed patch for RHEL5
proposed.patch (text/plain), 7.86 KB, created by
Anton Arapov
on 2008-06-13 14:35:53 UTC
(
hide
)
Description:
proposed patch for RHEL5
Filename:
MIME Type:
Creator:
Anton Arapov
Created:
2008-06-13 14:35:53 UTC
Size:
7.86 KB
patch
obsolete
> include/linux/netfilter/nf_conntrack_tcp.h | 4 ++- > net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 42 ++++++++++---------------- > net/netfilter/nf_conntrack_proto_tcp.c | 40 +++++++++---------------- > 3 files changed, 34 insertions(+), 52 deletions(-) > >diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h >index b2feeff..ba45019 100644 >--- a/include/linux/netfilter/nf_conntrack_tcp.h >+++ b/include/linux/netfilter/nf_conntrack_tcp.h >@@ -2,6 +2,9 @@ > #define _NF_CONNTRACK_TCP_H > /* TCP tracking. */ > >+/* Be liberal in window checking */ >+#define IP_CT_TCP_FLAG_BE_LIBERAL 0x08 >+ > /* This is exposed to userspace (ctnetlink) */ > enum tcp_conntrack { > TCP_CONNTRACK_NONE, >diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c >index fb920e7..2cec6ce 100644 >--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c >+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c >@@ -50,12 +50,9 @@ static DEFINE_RWLOCK(tcp_lock); > If it's non-zero, we mark only out of window RST segments as INVALID. */ > int ip_ct_tcp_be_liberal = 0; > >-/* When connection is picked up from the middle, how many packets are required >- to pass in each direction when we assume we are in sync - if any side uses >- window scaling, we lost the game. >- If it is set to zero, we disable picking up already established >+/* If it is set to zero, we disable picking up already established > connections. */ >-int ip_ct_tcp_loose = 3; >+int ip_ct_tcp_loose = 1; > > /* Max number of the retransmitted packets without receiving an (acceptable) > ACK from the destination. If this number is reached, a shorter timer >@@ -693,12 +690,10 @@ static int tcp_in_window(struct ip_ct_tcp *state, > after(end, sender->td_end - receiver->td_maxwin - 1), > before(sack, receiver->td_end + 1), > after(ack, receiver->td_end - MAXACKWINDOW(sender))); >- >- if (sender->loose || receiver->loose || >- (before(seq, sender->td_maxend + 1) && >- after(end, sender->td_end - receiver->td_maxwin - 1) && >- before(sack, receiver->td_end + 1) && >- after(ack, receiver->td_end - MAXACKWINDOW(sender)))) { >+ if (before(seq, sender->td_maxend + 1) && >+ after(end, sender->td_end - receiver->td_maxwin - 1) && >+ before(sack, receiver->td_end + 1) && >+ after(ack, receiver->td_end - MAXACKWINDOW(sender))) { > /* > * Take into account window scaling (RFC 1323). > */ >@@ -741,15 +736,13 @@ static int tcp_in_window(struct ip_ct_tcp *state, > state->retrans = 0; > } > } >- /* >- * Close the window of disabled window tracking :-) >- */ >- if (sender->loose) >- sender->loose--; >- > res = 1; > } else { >- if (LOG_INVALID(IPPROTO_TCP)) >+ res = 0; >+ if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL || >+ ip_ct_tcp_be_liberal) >+ res = 1; >+ if (!res && LOG_INVALID(IPPROTO_TCP)) > nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, > "ip_ct_tcp: %s ", > before(seq, sender->td_maxend + 1) ? >@@ -760,8 +753,6 @@ static int tcp_in_window(struct ip_ct_tcp *state, > : "ACK is over the upper bound (ACKed data not seen yet)" > : "SEQ is under the lower bound (already ACKed data retransmitted)" > : "SEQ is over the upper bound (over the window of the receiver)"); >- >- res = ip_ct_tcp_be_liberal; > } > > DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " >@@ -1104,8 +1095,6 @@ static int tcp_new(struct ip_conntrack *conntrack, > > tcp_options(skb, iph, th, &conntrack->proto.tcp.seen[0]); > conntrack->proto.tcp.seen[1].flags = 0; >- conntrack->proto.tcp.seen[0].loose = >- conntrack->proto.tcp.seen[1].loose = 0; > } else if (ip_ct_tcp_loose == 0) { > /* Don't try to pick up connections. */ > return 0; >@@ -1126,11 +1115,12 @@ static int tcp_new(struct ip_conntrack *conntrack, > conntrack->proto.tcp.seen[0].td_maxwin; > conntrack->proto.tcp.seen[0].td_scale = 0; > >- /* We assume SACK. Should we assume window scaling too? */ >+ /* We assume SACK and liberal window checking to handle >+ * window scaling */ > conntrack->proto.tcp.seen[0].flags = >- conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM; >- conntrack->proto.tcp.seen[0].loose = >- conntrack->proto.tcp.seen[1].loose = ip_ct_tcp_loose; >+ conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | >+ IP_CT_TCP_FLAG_BE_LIBERAL; >+ > } > > conntrack->proto.tcp.seen[1].td_end = 0; >diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c >index af8adcb..10a57e6 100644 >--- a/net/netfilter/nf_conntrack_proto_tcp.c >+++ b/net/netfilter/nf_conntrack_proto_tcp.c >@@ -59,12 +59,9 @@ static DEFINE_RWLOCK(tcp_lock); > If it's non-zero, we mark only out of window RST segments as INVALID. */ > int nf_ct_tcp_be_liberal = 0; > >-/* When connection is picked up from the middle, how many packets are required >- to pass in each direction when we assume we are in sync - if any side uses >- window scaling, we lost the game. >- If it is set to zero, we disable picking up already established >+/* If it is set to zero, we disable picking up already established > connections. */ >-int nf_ct_tcp_loose = 3; >+int nf_ct_tcp_loose = 1; > > /* Max number of the retransmitted packets without receiving an (acceptable) > ACK from the destination. If this number is reached, a shorter timer >@@ -651,11 +648,10 @@ static int tcp_in_window(struct ip_ct_tcp *state, > before(sack, receiver->td_end + 1), > after(ack, receiver->td_end - MAXACKWINDOW(sender))); > >- if (sender->loose || receiver->loose || >- (before(seq, sender->td_maxend + 1) && >- after(end, sender->td_end - receiver->td_maxwin - 1) && >- before(sack, receiver->td_end + 1) && >- after(ack, receiver->td_end - MAXACKWINDOW(sender)))) { >+ if (before(seq, sender->td_maxend + 1) && >+ after(end, sender->td_end - receiver->td_maxwin - 1) && >+ before(sack, receiver->td_end + 1) && >+ after(ack, receiver->td_end - MAXACKWINDOW(sender))) { > /* > * Take into account window scaling (RFC 1323). > */ >@@ -698,15 +694,13 @@ static int tcp_in_window(struct ip_ct_tcp *state, > state->retrans = 0; > } > } >- /* >- * Close the window of disabled window tracking :-) >- */ >- if (sender->loose) >- sender->loose--; >- > res = 1; > } else { >- if (LOG_INVALID(IPPROTO_TCP)) >+ res = 0; >+ if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL || >+ nf_ct_tcp_be_liberal) >+ res = 1; >+ if (!res && LOG_INVALID(IPPROTO_TCP)) > nf_log_packet(pf, 0, skb, NULL, NULL, NULL, > "nf_ct_tcp: %s ", > before(seq, sender->td_maxend + 1) ? >@@ -717,8 +711,6 @@ static int tcp_in_window(struct ip_ct_tcp *state, > : "ACK is over the upper bound (ACKed data not seen yet)" > : "SEQ is under the lower bound (already ACKed data retransmitted)" > : "SEQ is over the upper bound (over the window of the receiver)"); >- >- res = nf_ct_tcp_be_liberal; > } > > DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " >@@ -1063,8 +1055,6 @@ static int tcp_new(struct nf_conn *conntrack, > > tcp_options(skb, dataoff, th, &conntrack->proto.tcp.seen[0]); > conntrack->proto.tcp.seen[1].flags = 0; >- conntrack->proto.tcp.seen[0].loose = >- conntrack->proto.tcp.seen[1].loose = 0; > } else if (nf_ct_tcp_loose == 0) { > /* Don't try to pick up connections. */ > return 0; >@@ -1085,11 +1075,11 @@ static int tcp_new(struct nf_conn *conntrack, > conntrack->proto.tcp.seen[0].td_maxwin; > conntrack->proto.tcp.seen[0].td_scale = 0; > >- /* We assume SACK. Should we assume window scaling too? */ >+ /* We assume SACK and liberal window checking to handle >+ * window scaling */ > conntrack->proto.tcp.seen[0].flags = >- conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM; >- conntrack->proto.tcp.seen[0].loose = >- conntrack->proto.tcp.seen[1].loose = nf_ct_tcp_loose; >+ conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | >+ IP_CT_TCP_FLAG_BE_LIBERAL; > } > > conntrack->proto.tcp.seen[1].td_end = 0;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=309218">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 448328
:
309201
| 309218