Olaf Rempel wrote:
> On Wed, 23 Nov 2005 23:53:24 +0100
> Vidar Tyldum Hansen <[EMAIL PROTECTED]> wrote:
> 
>> Olaf Rempel wrote:
>>
>>> - try to relax tcp-window-tracking checkings
>>>   $ echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
>> BINGO!
> Nice.
> 
>> A bit more Googling shows me that disabling SACK fixes the problem.
> Hmm, have you disabled SACK with 0 > /proc/net/sys/ipv4/sack?

Yup.

> Thats interesting. Are there any other non-linux firewalls involved?

Nope. As I mentioned, directly from the gateway to the net works fine. 
Connecting from a host behind my gateway causes the problem.

Everything points to my TSL3 box (which was 100% stock until I disabled 
SACK). I'm a bit undecided; disable SACK or use the setting you first 
suggested. Disabling SACK seems like the right thing to do as it goes to 
the root of the problem.

>> However, I must figure out what the implications of disabling SACK are 
>> and possibly why this is causing problems. I don't have any packetloss 
>> anywhere.
> Afaik with selecktive ACKs you can ACK a part of a packet, not only the
> whole packet. And when resending you only need to resend the missing part.

My understanding: In the old days you could receive packets 1,2,4,5 in a 
flow. You would send ACK for 1,2, and then continue to ACK 2 even though 
4,5 arrived. So the sender retransmits 3,4,5 instead of just the missing 
packet.

With SACK you can ACK 1,2,4,5 and only packet 3 will be retransmitted.

I don't think disabling SACK is a major problem. The headache now is why 
this is a problem and what triggered it. Tcpdump here I come ;)

Again, thanks.
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss

Reply via email to