Non but me, although that's probably the reason. ;-)
My hypothesis is as follows:
Since ip_masq_defrag now is sysctl-controlled it is set to
zero at boot-time, i.e. not enabled. Before when it wasn't, it
was always enabled when ip-masq was compiled into the kernel.
Therefore my firewall began dropping fragments when I changed to
kernel 2.2.14. This problem was solved by a echo 1 > ip_always_defrag.
Although at this moment masqueraded connections had already been
issued through the firewall and therefore the echo 1 didn't incremented
the value from 0 to 1 but instead changed it from a greater value back
to 1. When the ip_masq-connections later were closed and the ip_masq-structures
were released, ip_always_defrag was decremented to zero or a negative value,
depending on the number of ip_masq-connections that had been active.
Thanks to the information provided by Julian Anastasov the problem
was solved by setting ip_always_defrag to a high value or simply
wait for all ip_masq-connections to time out before setting it to 1.
Although, I think the problem should be looked over since this
approach isn't really obvious if one doesn't know it.
regards
/Ralf Nyrén
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/