ab94c6b021
This can avoid connections rarely hanging due to tcp window scaling not correctly being observed by the TCP connection tracking. this seems to happen when retransmits are occurring occassionally. Setting this parameter turns off validating the window scaling checks for the purpose of matching whether a packet matches an existing connection tracked flow, which avoids the SNAT namespace from interfering and letting the connection peers recover the connection via retransmits/Selective ACKs instead of the SNAT terminating one side of the connection and letting it stall permanently. Closes-Bug: #1804327 Change-Id: I5e58bb2850bfa8e974e62215af0b4d7bc0592c13
19 lines
781 B
YAML
19 lines
781 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Liberal TCP connection tracking is now enabled in SNAT namespaces,
|
|
(``sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1``).
|
|
|
|
In some cases, when a TCP connection that is NAT-ed ends up
|
|
re-transmitting, a packet could be outside what the Linux kernel
|
|
connection tracking considers part of the valid TCP window. When
|
|
this happens, a TCP Reset (RST) is triggered, terminating the connection
|
|
on the sender side, while leaving the receiver side (the Neutron
|
|
port attached VM) hanging.
|
|
|
|
Since a number of firewall vendors typically turn this on by default
|
|
to avoid unnecessary resets, we now do it in the Neutron router as well.
|
|
|
|
See bug `1804327 <https://bugs.launchpad.net/neutron/+bug/1804327>`_
|
|
for more information.
|