problem with linux kernel 2.16.18.2 and packet filter

Max Laier max at love2party.net
Tue Mar 20 17:59:54 UTC 2007


On Tuesday 20 March 2007 18:42, WAYNE KING wrote:
> Hello list, My subnet at Ohio State is running a BSD firewall with
> packet filter. It works great, but I just encountered a weird problem
> with the linux 2.16.18.2 kernel and packet filter. When the firewall
> was on I could do absolutely nothing via the web; every page would
> hang. As soon as I turned the firewall off, all connections worked
> fine. Apparently this is a known bug? and changing the
> tcp_window_scaling setting in the kernel to 0 fixes it. Anyway I was
> hoping that someone could explain to me why that setting might cause a
> problem with packet filter. It irritated me for weeks. By the way I'm
> using OpenSuse 10.2 --never had it up to and including Suse 10.1. I'm
> not sure if this is a problem in general with that kernel or with some
> distro particular. I'm running fedora core 6 on another computer and
> that works fine. I just discovered this fix so I haven't checked what
> kernel that has installed (fedora core 6) or what the
> tcp_window_scaling is by default. The following com mand fixed it on my
> computer (openSuse 10.2)
>
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
>
> Any quick insights just for my own education?

Could you enable misc logging for pf (pfctl -xm) and watch the console 
while you try to connect to the net with the affected Linux box?

Also, window scaling related problems are usually caused by keep state 
rules that do not include "flags S/SA".  Under some circumstances you 
could get pf to install a state entry for which it has not seen the 
initial SYN and thus it is not informed about the negotiated scalling 
factor and breaks the connection later.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070320/e1fe0e17/attachment.pgp


More information about the freebsd-pf mailing list