netfilter buglog - Aug 2003 - [Bug 105] Connection tracking table full, no new connections accepted

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=105

laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |LATER



------- Additional Comments From laforge@netfilter.org  2003-08-19 12:10 -------
still waiting for the debugging data



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=105

brian-netfilter@admin.softhome.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |brian-
                   |                            |netfilter@admin.softhome.net
             Status|RESOLVED                    |REOPENED
         OS/Version|Gentoo                      |Debian GNU/Linux
         Resolution|LATER                       |



------- Additional Comments From brian-netfilter@admin.softhome.net  2003-08-28
08:41 -------
I'm seeing this too.  The bulk of entries in /proc/net/ip_conntrack are in
the
[ASSURED] state, dst or src the same IP address (all port 25).  In this case 86%
of the entries on this host are 20139 src and 20139 dst for that host:25.

The affected host does bare minimum filtering (but a lot of counters in the
mangle table), and sits in front of another firewall that does use a heavy
iptables-based firewall.  It's /proc/net/ip_conntrack is an order of
magnitude
smaller.

The host with the overflowing conntrack table is running vanilla 2.4.21 plus
sangoma modules from their wanpipe-2.3.0.  The host with the small conntrack
table is running 2.4.19-ac4.

I've increased ip_conntrack_max to deal with it.  What data would you like?

I did see the similar effect with [UNREPLIED] in 2.4.20 (or was that 2.4.19?),
which prompted the upgrade to 2.4.21.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.