<HTML>
<HEAD>
<TITLE>Re: [tproxy] TIME_WAIT / LAST_ACK Problem</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Just an interim update on this.<BR>
I have established that the problem arises with the following packet sequence:<BR>
<BR>
1. Tproxy-Server -> Client FIN<BR>
2. Client->Tproxy-Server ACK (of the server’s FIN)<BR>
3. Client->Tproxy-Server FIN<BR>
4. Tproxy-Server-Client ACK (of the client’s FIN – this never leaves the server)<BR>
<BR>
Steps 3 & 4 are repeated.<BR>
<BR>
The problem does NOT arise with the sequence:<BR>
1. Tproxy-Server -> Client FIN<BR>
2. Client->Tproxy-Server ACK (of the server’s FIN) / FIN<BR>
3. Tproxy-Server-Client ACK (of the client’s FIN)<BR>
<BR>
The search continues...<BR>
<BR>
<BR>
<BR>
On 15/11/2011 15:20, "Simon James" <<a href="sjames@btisystems.com">sjames@btisystems.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi<BR>
<BR>
Thanks for the quick response!<BR>
I’ve applied the patch but I’m still getting the problem.<BR>
I’m progressing the diagnosis with printk() etc, and will update this post if and when I get any further.<BR>
<BR>
Thanks again.<BR>
<BR>
Simon<BR>
<BR>
<BR>
<BR>
On 15/11/2011 09:11, "KOVACS Krisztian" <<a href="hidden@balabit.hu">hidden@balabit.hu</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi,<BR>
<BR>
On Mon 14 Nov 2011 12:57:45 PM CET, Simon James wrote:<BR>
> The problem seems to arise when the server initiates the close of the<BR>
> connection.<BR>
> In that case, the trace output shows:<BR>
><BR>
> 1. the FIN from the server passing through the mangle:OUTPUT,<BR>
> filter:OUTPUT and filter:POSTROUTING tables<BR>
> 2. a FIN/ACK from the client arriving and passing through<BR>
> mangle:PREROUTING, mangle:INPUT and filter:INPUT tables<BR>
> 3. a final ACK from the server passing through the mangle:OUTPUT<BR>
> tables but getting no further.<BR>
<BR>
This might be related to a problem we've fixed about a month ago in the<BR>
upstream kernel:<BR>
<BR>
<a href="https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=58af19e387d8821927e49be3f467da5e6a0aa8fd">https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=58af19e387d8821927e49be3f467da5e6a0aa8fd</a><BR>
<BR>
The fix made it into Linux 3.1. Can you somehow give it a try?<BR>
(Backporting to your F14 kernel should be fairly trivial, since it's a<BR>
one-line change in tcp_minisocks.c.)<BR>
<BR>
--<BR>
KOVACS Krisztian<BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>