Re: Extremely slow network with e1000 & ip_conntrack

From: Harald Welte
Date: Thu Dec 11 2003 - 02:34:14 EST

Next message: Rob Landley: "Re: Linux GPL and binary module exception clause?"
Previous message: Nick Piggin: "Re: Increasing HZ (patch for HZ > 1000)"
Next in thread: Henrik Nordstrom: "Re: Extremely slow network with e1000 & ip_conntrack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 05, 2003 at 12:28:19PM -0800, David S. Miller wrote:

> The culprit is net/ipv4/netfilter/ip_conntrack_standalone.c,
> in ip_refrag(), it does this:
>

Sorry for getting back to you so late, but as indicated before, I was
offline while travelling during the last week.

Thanks for spotting and fixing the bug.

> Some auditing is definitely necessary wrt. TSO and netfilter. In particular
> I am incredibly confident that we have issues in cases like when the FTP
> netfilter modules mangle the data. Another area for inspection are the
> cases where TCP header bits are changed and thus the checksum needs to
> be adjusted.

yes, this is certainly a problem - but not with conntrack, only with
nat. So maybe we should add a safeguard, preventing
iptables_nat/ipchains/ipfwadm from being loaded when TSO on any
interface is enabled? Or at least print a warining in syslog?

--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie

Attachment: pgp00001.pgp
Description: PGP signature

Next message: Rob Landley: "Re: Linux GPL and binary module exception clause?"
Previous message: Nick Piggin: "Re: Increasing HZ (patch for HZ > 1000)"
Next in thread: Henrik Nordstrom: "Re: Extremely slow network with e1000 & ip_conntrack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]