There seems to be a major TCP bug probably in the masquerading code. This
bug also occurs intermittently in the 2.0 kernels, but 2.0 usually manages
to recover in time, though the bug when it occurs is even worse.
The bug is this, after the system runs for a varying amount of time, usually
around 12 hours, the system starts to have problems starting TCP connections
to external hosts (2.1.x kernels have no problems starting connections to
localhost, and its own eth0 address, but 2.0.x kernels do). netstat -tu
reports the connections are stuck in a SYN_SENT state.
This occurs for all attempted connections except for those started using
ssh, we assume that ssh opens connections with some odd parameters, I have
not delved into the ssh code to check this out.
A tcp dump on the offending connection contains these three suspect lines.
This is on an attempted telnet to the machine mithrandir from elessar.
11:52:25.718424 elessar.2081 > mithrandir.telnet: S 2472698000:2472698000(0) win 32120 <mss 1460,sackOK,timestamp 4932895[|tcp]> (DF) [tos 0x10] (ttl 64, id 26095)
11:52:25.718807 mithrandir.telnet > elessar.2081: S 2464075485:2464075485(0) ack 2472698001 win 32120 <mss 1460,sackOK,timestamp 1205796[|tcp]> (DF) (ttl 64, id 4119)
11:52:25.718993 elessar > mithrandir: icmp: redirect mithrandir to host mithrandir [tos 0xc0] (ttl 255, id 26096)
Note the last line seems kind of strange.
The kernel is compiled with masquerading on, and ipautofw, ipportfw on. And
ip masquerading is enabled using ipchains with the following script.
#!/bin/sh
# Use this script to enable IP-Masquerading.
# Check if we're using ipchains
if [ -f /proc/net/ip_fwchains ]; then
# Flush all chains
/sbin/ipchains -F
# Default to deny
/sbin/ipchains -X
# /sbin/ipchains -P input DENY
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P forward DENY
# Accept all input from localhost and eth0
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -i eth0 -j ACCEPT
# Setup Masquerading
/sbin/ipchains -A forward -j MASQ -s 172.31.13.2/24 -d 0.0.0.0/0
# Clear ipautofw tables
/usr/sbin/ipmasqadm autofw -F
# autofw for ICQ
/usr/sbin/ipmasqadm autofw -A -r tcp 2001 2050 -h 172.31.13.2
/usr/sbin/ipmasqadm autofw -A -r tcp 2051 2100 -h 172.31.13.3
# autofw for powwow
/usr/sbin/ipmasqadm autofw -A -r tcp 13223 13223 -c tcp 13223 -u
/usr/sbin/ipmasqadm autofw -A -r udp 13223 13223 -c tcp 13223 -u
/usr/sbin/ipmasqadm autofw -A -r tcp 23213 23213 -c tcp 13223 -u
# autofw for battle.net
/usr/sbin/ipmasqadm autofw -A -r tcp 6112 6112 -h 172.31.13.3
/usr/sbin/ipmasqadm autofw -A -r udp 6112 6112 -h 172.31.13.3
fi
The network portion of my kernel config is here.
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_FIREWALL=y
# CONFIG_NET_ALIAS is not set
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ALWAYS_DEFRAG=y
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
# CONFIG_IP_MASQUERADE_MFW is not set
# CONFIG_IP_ROUTER is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_ALIAS is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_RARP is not set
CONFIG_IP_NOSR=y
CONFIG_SKB_LARGE=y
# CONFIG_IPV6 is not set
CONFIG_IPX=m
CONFIG_IPX_INTERN=y
CONFIG_SPX=m
CONFIG_ATALK=m
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_BRIDGE is not set
# CONFIG_LLC is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_FASTROUTE is not set
# CONFIG_NET_HW_FLOWCONTROL is not set
# CONFIG_CPU_IS_SLOW is not set
# CONFIG_NET_SCHED is not set
#
# Network device support
#
CONFIG_NETDEVICES=y
# CONFIG_ARCNET is not set
CONFIG_DUMMY=m
# CONFIG_EQUALIZER is not set
# CONFIG_ETHERTAP is not set
CONFIG_NET_ETHERNET=y
CONFIG_NET_VENDOR_3COM=y
# CONFIG_EL1 is not set
# CONFIG_EL2 is not set
# CONFIG_ELPLUS is not set
# CONFIG_EL16 is not set
CONFIG_EL3=m
# CONFIG_3C515 is not set
# CONFIG_VORTEX is not set
# CONFIG_LANCE is not set
# CONFIG_NET_VENDOR_SMC is not set
# CONFIG_NET_VENDOR_RACAL is not set
# CONFIG_RTL8139 is not set
# CONFIG_YELLOWFIN is not set
# CONFIG_ACENIC is not set
CONFIG_NET_ISA=y
# CONFIG_AT1700 is not set
# CONFIG_E2100 is not set
# CONFIG_DEPCA is not set
# CONFIG_EWRK3 is not set
# CONFIG_EEXPRESS is not set
# CONFIG_EEXPRESS_PRO is not set
# CONFIG_FMV18X is not set
# CONFIG_HPLAN_PLUS is not set
# CONFIG_HPLAN is not set
# CONFIG_HP100 is not set
# CONFIG_ETH16I is not set
CONFIG_NE2000=m
# CONFIG_SEEQ8005 is not set
# CONFIG_SK_G16 is not set
CONFIG_NET_EISA=y
# CONFIG_PCNET32 is not set
# CONFIG_ACENIC is not set
# CONFIG_AC3200 is not set
# CONFIG_APRICOT is not set
# CONFIG_CS89x0 is not set
# CONFIG_DE4X5 is not set
# CONFIG_DEC_ELCP is not set
# CONFIG_DGRS is not set
# CONFIG_EEXPRESS_PRO100 is not set
# CONFIG_LNE390 is not set
# CONFIG_NE3210 is not set
CONFIG_NE2K_PCI=m
# CONFIG_YELLOWFIN is not set
# CONFIG_RTL8139 is not set
# CONFIG_ACENIC is not set
# CONFIG_TLAN is not set
# CONFIG_VIA_RHINE is not set
# CONFIG_ES3210 is not set
# CONFIG_EPIC100 is not set
# CONFIG_ZNET is not set
# CONFIG_NET_POCKET is not set
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
# CONFIG_DLCI is not set
# CONFIG_LTPC is not set
# CONFIG_COPS is not set
# CONFIG_IPDDP is not set
# CONFIG_PLIP is not set
CONFIG_PPP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
# CONFIG_NET_RADIO is not set
# CONFIG_TR is not set
CONFIG_SHAPER=m
# CONFIG_HOSTESS_SV11 is not set
# CONFIG_COSA is not set
I also do a "route add -host 255.255.255.255 eth0" to enable dhcpd to work.
If someone can look into this for me, that would be great!
-- Joseph Yang j3yang@undergrad.math.uwaterloo.ca- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/