bugzilla-daemon@netfilter.org
2003-Feb-14 07:39 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 ------- Additional Comments From laforge@netfilter.org 2003-02-14 08:39 ------- what patches from patch-o-matic do you use? Do you know how to reproduce this behaviour? ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-14 09:45 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 ------- Additional Comments From arvids@vendomar.lv 2003-02-14 10:45 ------- I have applied the following patches: pending/01_ip_conntrack_proto_tcp-lockfix pending/02_newnat-udp-helper pending/04_ftp-conntrack-msg-fix base/iplimit base/time And I have made the following changes to the TCP timeouts: --- /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig 2003-01-15 13:43:37.000000000 +0200 +++ /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2003-01-15 14:48:44.000000000 +0200 @@ -53,13 +53,13 @@ static unsigned long tcp_timeouts[] = { 30 MINS, /* TCP_CONNTRACK_NONE, */ - 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */ - 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */ - 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */ - 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */ - 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */ + 60 MINS, /* TCP_CONNTRACK_ESTABLISHED, */ + 60 SECS, /* TCP_CONNTRACK_SYN_SENT, */ + 30 SECS, /* TCP_CONNTRACK_SYN_RECV, */ + 60 SECS, /* TCP_CONNTRACK_FIN_WAIT, */ + 60 SECS, /* TCP_CONNTRACK_TIME_WAIT, */ 10 SECS, /* TCP_CONNTRACK_CLOSE, */ - 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ + 10 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */ 2 MINS, /* TCP_CONNTRACK_LISTEN, */ }; ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-14 09:56 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From laforge@netfilter.org 2003-02-14 10:56 ------- so this clearly is a bug. *sigh*. The timeouts cannot by any means be legally at the high values you describe. Can you give us some more information, anything that could be helpful (like if the connections are through the netfilter/iptables firewall [by some other machine], or if they are initiated or terminated at the firewall? Any hint how to reproduce it? ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-15 19:32 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 korn-netfilterbugs@chardonnay.math.bme.hu changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|other |Debian GNU/Linux ------- Additional Comments From korn-netfilterbugs@chardonnay.math.bme.hu 2003-02-15 20:32 ------- I'm also experiencing the problem. Running the following command produces lots of conntrack entries with huge timeouts: #!/bin/sh ulimit -n 8192 ulimit -c unlimited ulimit -s unlimited nmap --max_parallelism 10 -oM /tmp/xdmcp.log -sU -p 177 some-subnet.1-253 The interesting thing is that this produces ESTABLISHED but UNREPLIED connections with nonexistent boxes, like for example: tcp 6 431983 ESTABLISHED src=192.168.0.1 dst=192.168.0.23 sport=43465 dport=80 [UNREPLIED] src=192.168.0.23 dst=192.168.0.1 sport=80 dport=43465 use=1 192.168.0.23 doesn't exist on the network, so I certainly can't have established a TCP session with it. The timeout is about 5 days, so I guess it's the normal timeout for established TCP sessions. I'm just compiling a new kernel with a lower timeout to test this. On a different box, I see lots of connections like these: tcp 6 109291 CLOSE_WAIT src=foo.63 dst=some-ip.144 sport=2465 dport=4000 src=some-ip.144 dst=foo.63 sport=4000 dport=2465 use=1 The timeout of about 30 hours doesn't resemble anything I've seen in ip_conntrack_proto_tcp.c. (tcp port 4000 is a listening port on some-ip.144, so this was an incoming connection.) Or let's look at this one: tcp 6 19038066 CLOSE src=foo.26 dst=some-ip.144 sport=20933 dport=40768 [UNREPLIED] src=some-ip.144 dst=foo.26 sport=40768 dport=20933 use=1 Not bad, a whopping 220+ days! I wonder how that came to be...? Both kernels are 2.4.20-wolk4.0s-pre10 (which include most of the iptables patch-o-matic). I removed Jozsef Kadlecsik's connection tracking enhancement patch from the kernel on the first box; otherwise, everything is identical. Andrew ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-20 09:29 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 ------- Additional Comments From arvids@vendomar.lv 2003-02-20 10:29 ------- Here some details: 1)The connections are through the netfilter. 2)there are defined the following rules: iptables -t nat -A PREROUTING -s x.x.0.0/16 -i eth1 -p tcp --syn -m iplimit --iplimit-above 50 -j DROP iptables -t nat -A POSTROUTING -s x.x.0.0/16 -o eth0 -j SNAT --to y.y.y.y (the address y.y.y.y is not assigned to linux box) 3)there are about 100-200 internal users 4)I have another box with exactly the same configuration and with much hihgher load which uses 2.4.19 kernel, patch-o-matic-20020825. This box does not have such problem. Regards, Arvids ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-27 12:22 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 ------- Additional Comments From arvids@vendomar.lv 2003-02-27 13:22 ------- It seems that this bug is the same as #56 Arvids ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-27 12:42 UTC
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From laforge@netfilter.org 2003-02-27 13:42 ------- yup, indeed. thanks. *** This bug has been marked as a duplicate of 56 *** ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.