bugzilla-daemon@netfilter.org
2003-Mar-16 08:36 UTC
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From laforge@netfilter.org 2003-03-16 09:36 ------- you seem to be running a 2.4.20 kernel. As announced to vendor-sec, there is a bug in the core 2.4.20 kernel that makes conntrack entries not time out as expected. Please see: https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=56 If the bug still persists with a fixed kernel, please report back to us (by using this bugreport. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-30 19:21 UTC
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 ------- Additional Comments From laforge@netfilter.org 2003-03-30 21:21 ------- any news on your bug report? Is the bug present with 2.4.19 kernels (or 2.4.20 with the proposed bugfix?) Please give me some feedback, otherwise I don't know if I can close this bug. Thanks. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Apr-05 23:30 UTC
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 ------- Additional Comments From tobias@portfolio16.de 2003-04-06 01:30 ------- OK, now I had time testing the 2.4.20 kernel with the patch. And yes, it has gotten much better. Not all connections are cleared, but much more then before. tobias@lafiel:~$ wc -l ip_conntrack 613 ip_conntrack tobias@lafiel:~$ grep -v "192\.168\.2\." ip_conntrack | grep -v "127\.0\.0\.1" | grep -v "A\.B\.C\.D" | wc -l 41 Seems to be a better ratio... Ideally this should be 0, right? ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Apr-07 21:08 UTC
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 ------- Additional Comments From laforge@netfilter.org 2003-04-07 23:08 ------- yes, it should be zero. can you please provide me with the list of those few conntrack records of which you think are remaining erroneously? (just the output of your 'grep' line without the trailing 'wc -l'). You can anonymize the IP address, of course. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Apr-08 08:22 UTC
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 ------- Additional Comments From tobias@portfolio16.de 2003-04-08 10:13 ------- Created an attachment (id=17) Leftover connections after ~4 days uptime ------- Additional Comments From tobias@portfolio16.de 2003-04-08 10:22 ------- This is the list of the leftover connections as for now, here the statistics: tobias@lafiel:~$ wc -l ip_conntrack 458 ip_conntrack tobias@lafiel:~$ wc -l left_connections_annon 65 left_connections_annon The router is up for almost 4 days now, there were 7 disconnects in this time... (Yes, I know... My provider disconnects after 12 hours, not after 24, as I said in the first post :( ) Here is the crazy creation I used to dreate that attached file: tobias@lafiel:~$ grep -v "192\.168\.2\." ip_conntrack | grep -v "127\.0\.0\.1" | grep -v "A\.B\.C\.D" | grep -v "src=192\.168\.[0-9]*\.[0-9]* dst=192\.168\." | sed 's/=\(192\.168\.\)/=X\1/g; s/\(=[0-9]*\.[0-9]*\.[0-9]*\.\)[0-9]*/\1XXX/g; s/=X192/=192/g' > left_connections_annon (Yupp, there is another "grep -v", I used this the last time, but didn't mention it in the post, sorry) ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
Reasonably Related Threads
- [Bug 64] New: Conntrack-Table is not cleared on inferface down using target MASQUERADE
- [Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
- [Bug 47] conntrack breaks nfs, corrupted packets
- Conntrack table full and Heavy p2p loaded traffic manager ...
- ip conntrack table full