Bug#410857: NFS breaks down because of errors in connection tracking
On Tue, Feb 13, 2007 at 11:14:17PM +0100, Georg Mainik wrote:
> Package: linux-image-2.6.18-3-686
> Version: 2.6.18-7
> Severity: normal
>
> Hello,
>
> this is my first bug report and I am trying my best to submit it in a
> correct way and to give enough information for solving the problem.
>
> After installing and configuring a firewall, (Shorewall) I observed that
> NFS broke down on the clients after a reboot -- not always, but in 80%
> of all cases.
>
> With some help from a friend, I could find out that there was an
> inconsistency in connection tracking: although the NFS connection was
> established by the client, the NFS packages sent by the server did not
> pass the sequence number check.
>
> After adding a log target to Shorewall's dropInvalid chain (there is
> none by default), I saw the following in the syslog:
> -----
[..]
> -----
>
> With some more help, I got a workaround for that:
> echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
>
> After including this line into Shorewall's post-init script, the NFS
> connection did not break down any more.
>
> I don't know whether the origin of the problem is in the netfilter or in
> the nfs server or in the connection tracking on the client or server
> (maybe the server does not notice the client reboot and goes on with
> sequence numbers from the old connections?), but it is in the kernel --
> the firewall rules are correct and the packages are not recognized as a
> part of the existing connection.
Does this error still occur with more recent kernel versions?
Cheers,
Moritz
Reply to: