Reg iptables Connection tracking

Reg iptables Connection tracking

[Amit Kumar Gupta]

[-- Attachment #1: Type: text/plain, Size: 631 bytes --]


Hi List,

I am getting a problem with iptables :- 

I have added some rules in which I check the states of the packets which
I receive i.e. whether it is NEW, ESTABLISHED or INVALID and then do
some actions.

Now the problem which I am getting is :- (However I have already posted
a si ilar query reg this but I think this will be more elaborative).

As soon as somebody pings to my m/c , that fellow doesn't get the reply
and on my m/c , kernel keeps dumping certain messages which are like
this :-

Ip_contrack: maximum limit of 1016 entries exceeded.

Please help. 

Thanks & Regards,

Amit Kumar Gupta.

[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 514 bytes --]

**************************Disclaimer************************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************************

Re: Reg iptables Connection tracking

[Joel Newkirk]

On Friday 10 January 2003 12:03 am, Amit Kumar Gupta wrote:
> Hi List,
>
> I am getting a problem with iptables :-
>
> I have added some rules in which I check the states of the packets
> which I receive i.e. whether it is NEW, ESTABLISHED or INVALID and
> then do some actions.
>
> Now the problem which I am getting is :- (However I have already
> posted a si ilar query reg this but I think this will be more
> elaborative).
>
> As soon as somebody pings to my m/c , that fellow doesn't get the
> reply and on my m/c , kernel keeps dumping certain messages which are
> like this :-
>
> Ip_contrack: maximum limit of 1016 entries exceeded.

Well, that's what's happening then.  The conntrack table is filling.  The 
real question is "why"?  How many machines are connected to/through this 
one, how many interfaces, subnets, etc?  Ping from LAN to firewall box, 
internet to LAN, what?  Just this box on the internet?  You need to 
elaborate still further for anyone to have much chance figuring out the 
source of your problem.  Since the conntrack limit is being reached, try 
"cat /proc/net/conntrack" and see what it's filled with.  (Probably 1016 
entries, but are they all legitimate traffic, or what?)

Conntrack is used for state and NAT both.  It might help if you also 
included the new state rules you added, and any NAT or state rules that 
were already in place.

j

Re: Reg iptables Connection tracking

[Amit Kumar Gupta]

[-- Attachment #1: Type: text/plain, Size: 2058 bytes --]



On Friday 10 January 2003 12:37 am, you wrote:
> Hi,
>
> Well, Only 2 machines are attached in the inhome network and the
> fireall I am using is written using iptables rule. Well, the
> interesting point is :- There is no
> /proc/sys/net/ipv4/ip_conntrack_max file . What I mean is the max
> length it takes from this file and this file doesn't exist as I am not
> using /proc file system. (This mean that in the kernel CONFIG_SYSCTL
> option is not set).
>
> Well I am able to see upto this point. I went through the code flow
> also. But I don't know why it prints the message(Even if increasing
> the value from 1016 to 4096 by hardcoding it in the kernel). Another
> issue is I don't know how it is taking 1016. As There is no /proc file
> system, and by default it shoud take 0.

Hmmm. I suspect it is taking a 1024 default then, the actual number of 
entries usually seems to be (2^n)-8.  The following probably explains 
/where/ the value is coming from:

int __init ip_conntrack_init(void)
{
	unsigned int i;
	int ret;

	/* Idea from tcp.c: use 1/16384 of memory.  On i386: 32MB
	 * machine has 256 buckets.  >= 1GB machines have 8192 buckets.
*/
 	if (hashsize) {
 		ip_conntrack_htable_size = hashsize;
 	} else {
		ip_conntrack_htable_size
			= (((num_physpages << PAGE_SHIFT) / 16384)
			   / sizeof(struct list_head));


Not that this helps much.  The real problem is WHAT is the conntrack 
table filling with.  And I suspect it may be nothing, that you have a 
problem because it is trying to use /proc/net/conntrack and there IS no 
/proc/net/conntrack.  The message may be triggering incorrectly, 
presuming that since it cannot write another entry to 
/proc/net/conntrack that the table is full.

The fact that you only have two machines pretty much eliminates traffic 
as a source of legitimately filling it... :^)  

I'm out of ideas for the moment, other than the above, that it will need

/proc in order to work.  If I think of something else I'll email you 
again.  Sorry.

j


[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 514 bytes --]

**************************Disclaimer************************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************************

Re: Reg iptables Connection tracking

[Athan]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

On Fri, Jan 10, 2003 at 10:33:48AM +0530, Amit Kumar Gupta wrote:
> As soon as somebody pings to my m/c , that fellow doesn't get the reply
> and on my m/c , kernel keeps dumping certain messages which are like
> this :-
> 
> Ip_contrack: maximum limit of 1016 entries exceeded.

   echo 32760 > /proc/sys/net/ipv4/ip_conntrack_max

Works to increase the size of the table.  I had a problem with a default
of ~4092 for this when I was copying LOTS of files between machines
using "get -R directory" in ncftp.  The above cured it.

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

RE: Reg iptables Connection tracking

[Amit Kumar Gupta]

[-- Attachment #1: Type: text/plain, Size: 1360 bytes --]

Hi,

But As I have told previously, (in my previous mails), I don't have
/proc file system. So it is taking the default value of 1016.
Even I changed the kernel code also by hardcoding this value in
init_conntrack function to 4096 but it didn't has any effect.

Still it keeps dumping kernel messages.

Regards,
Amit

-----Original Message-----
From: Athan [mailto:netfilter@miggy.org] 
Sent: Friday, January 10, 2003 7:33 PM
To: Amit Kumar Gupta
Cc: netfilter@lists.netfilter.org
Subject: Re: Reg iptables Connection tracking

On Fri, Jan 10, 2003 at 10:33:48AM +0530, Amit Kumar Gupta wrote:
> As soon as somebody pings to my m/c , that fellow doesn't get the
reply
> and on my m/c , kernel keeps dumping certain messages which are like
> this :-
> 
> Ip_contrack: maximum limit of 1016 entries exceeded.

   echo 32760 > /proc/sys/net/ipv4/ip_conntrack_max

Works to increase the size of the table.  I had a problem with a default
of ~4092 for this when I was copying LOTS of files between machines
using "get -R directory" in ncftp.  The above cured it.

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 514 bytes --]

**************************Disclaimer************************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************************

Re: Reg iptables Connection tracking

[Athan]

[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]

On Fri, Jan 10, 2003 at 04:04:54PM +0530, Amit Kumar Gupta wrote:
> On Friday 10 January 2003 12:37 am, you wrote:
> > Well I am able to see upto this point. I went through the code flow
> > also. But I don't know why it prints the message(Even if increasing
> > the value from 1016 to 4096 by hardcoding it in the kernel). Another
> > issue is I don't know how it is taking 1016. As There is no /proc file
> > system, and by default it shoud take 0.

   I missed this before, sorry.  Is this due to specifically disabling
/proc and/or specifically not mounting it for security reasons?  If not,
just enable it and mount it already.

> Not that this helps much.  The real problem is WHAT is the conntrack 
> table filling with.  And I suspect it may be nothing, that you have a 
> problem because it is trying to use /proc/net/conntrack and there IS no 
> /proc/net/conntrack.  The message may be triggering incorrectly, 
> presuming that since it cannot write another entry to 
> /proc/net/conntrack that the table is full.

   Er, no.  That's not what /proc/net/ip_conntrack is.  It doesn't EXIST
as such until you try to read from it.  All of /proc is virtual.  Just
because you have no /proc and can't get at 'files' in it doesn't mean
the SOURCE of their data doesn't exist.

> /proc in order to work.  If I think of something else I'll email you 
> again.  Sorry.

   I'd certainly recommend having /proc around as well.  There's the
sysctl() interface for querying/changing some values too.  Aha! You can
set net/ipv4/ip_conntrack_max from this too *8-):

	sysctl -w net/ipv4/ip_conntrack_max=32768

If your kernel doesn't have the sysctl support then, er, you're kind of
shooting yourself in the foot for tuning things at ALL, including things
like turning IP forwarding on and off, global TCP ECN support, SYN
cookies etc....

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

RE: Reg iptables Connection tracking

[Amit Kumar Gupta]

[-- Attachment #1: Type: text/plain, Size: 2919 bytes --]

Hi,

I am using Embedix platform in which If I enable CONFIG_SYSCTL, the
image doesn't come up on the H/w. So I have to disable this.( There has
been some changes in the Kernel to suit this which works fine). Now in
conntrack module I don't have this option so my conntrack ctl_table will
not be registered woth ipv4 table. So I was hardcoding the value of
ip_conntrack_max? Whether it will help?

Another issue is I don't have enough memory on the board to have sysctl
command.

Can you suggest something which I can do?

Regards,
Amit


-----Original Message-----
From: Athan [mailto:netfilter@miggy.org] 
Sent: Friday, January 10, 2003 10:09 PM
To: Amit Kumar Gupta
Cc: netfilter@lists.netfilter.org
Subject: Re: Reg iptables Connection tracking

On Fri, Jan 10, 2003 at 04:04:54PM +0530, Amit Kumar Gupta wrote:
> On Friday 10 January 2003 12:37 am, you wrote:
> > Well I am able to see upto this point. I went through the code flow
> > also. But I don't know why it prints the message(Even if increasing
> > the value from 1016 to 4096 by hardcoding it in the kernel). Another
> > issue is I don't know how it is taking 1016. As There is no /proc
file
> > system, and by default it shoud take 0.

   I missed this before, sorry.  Is this due to specifically disabling
/proc and/or specifically not mounting it for security reasons?  If not,
just enable it and mount it already.

> Not that this helps much.  The real problem is WHAT is the conntrack 
> table filling with.  And I suspect it may be nothing, that you have a 
> problem because it is trying to use /proc/net/conntrack and there IS
no 
> /proc/net/conntrack.  The message may be triggering incorrectly, 
> presuming that since it cannot write another entry to 
> /proc/net/conntrack that the table is full.

   Er, no.  That's not what /proc/net/ip_conntrack is.  It doesn't EXIST
as such until you try to read from it.  All of /proc is virtual.  Just
because you have no /proc and can't get at 'files' in it doesn't mean
the SOURCE of their data doesn't exist.

> /proc in order to work.  If I think of something else I'll email you 
> again.  Sorry.

   I'd certainly recommend having /proc around as well.  There's the
sysctl() interface for querying/changing some values too.  Aha! You can
set net/ipv4/ip_conntrack_max from this too *8-):

	sysctl -w net/ipv4/ip_conntrack_max=32768

If your kernel doesn't have the sysctl support then, er, you're kind of
shooting yourself in the foot for tuning things at ALL, including things
like turning IP forwarding on and off, global TCP ECN support, SYN
cookies etc....

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 522 bytes --]

**************************Disclaimer**************************************************    
 
 Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' 
and 'confidential' and intended for use only by the individual or entity to which it is 
addressed. You are notified that any use, copying or dissemination of the information 
contained in the E-MAIL in any manner whatsoever is strictly prohibited.

****************************************************************************************

Reg iptables Connection tracking

[Amit Kumar Gupta]

[-- Attachment #1: Type: text/plain, Size: 3478 bytes --]


Hi List,

Again Posting the same question ON the list As I have tried many ways
and didn't get any clues.

As soon as I ping from inhome to the RG's internal, It just keep filling
the ip_conntrack file and it goes beyond ip_conntrack_max entries. I
don't know why Internal address is not replying. 

If Any clues, Please Help.

Thanks & Regards,
Amit

-----Original Message-----
From: Amit Kumar Gupta 
Sent: Saturday, January 11, 2003 10:37 AM
To: Athan
Cc: netfilter@lists.netfilter.org
Subject: RE: Reg iptables Connection tracking

Hi,

I am using Embedix platform in which If I enable CONFIG_SYSCTL, the
image doesn't come up on the H/w. So I have to disable this.( There has
been some changes in the Kernel to suit this which works fine). Now in
conntrack module I don't have this option so my conntrack ctl_table will
not be registered woth ipv4 table. So I was hardcoding the value of
ip_conntrack_max? Whether it will help?

Another issue is I don't have enough memory on the board to have sysctl
command.

Can you suggest something which I can do?

Regards,
Amit


-----Original Message-----
From: Athan [mailto:netfilter@miggy.org] 
Sent: Friday, January 10, 2003 10:09 PM
To: Amit Kumar Gupta
Cc: netfilter@lists.netfilter.org
Subject: Re: Reg iptables Connection tracking

On Fri, Jan 10, 2003 at 04:04:54PM +0530, Amit Kumar Gupta wrote:
> On Friday 10 January 2003 12:37 am, you wrote:
> > Well I am able to see upto this point. I went through the code flow
> > also. But I don't know why it prints the message(Even if increasing
> > the value from 1016 to 4096 by hardcoding it in the kernel). Another
> > issue is I don't know how it is taking 1016. As There is no /proc
file
> > system, and by default it shoud take 0.

   I missed this before, sorry.  Is this due to specifically disabling
/proc and/or specifically not mounting it for security reasons?  If not,
just enable it and mount it already.

> Not that this helps much.  The real problem is WHAT is the conntrack 
> table filling with.  And I suspect it may be nothing, that you have a 
> problem because it is trying to use /proc/net/conntrack and there IS
no 
> /proc/net/conntrack.  The message may be triggering incorrectly, 
> presuming that since it cannot write another entry to 
> /proc/net/conntrack that the table is full.

   Er, no.  That's not what /proc/net/ip_conntrack is.  It doesn't EXIST
as such until you try to read from it.  All of /proc is virtual.  Just
because you have no /proc and can't get at 'files' in it doesn't mean
the SOURCE of their data doesn't exist.

> /proc in order to work.  If I think of something else I'll email you 
> again.  Sorry.

   I'd certainly recommend having /proc around as well.  There's the
sysctl() interface for querying/changing some values too.  Aha! You can
set net/ipv4/ip_conntrack_max from this too *8-):

	sysctl -w net/ipv4/ip_conntrack_max=32768

If your kernel doesn't have the sysctl support then, er, you're kind of
shooting yourself in the foot for tuning things at ALL, including things
like turning IP forwarding on and off, global TCP ECN support, SYN
cookies etc....

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 514 bytes --]

**************************Disclaimer************************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************************

Re: Reg iptables Connection tracking

[Filip Sneppe]

Amit,

This looks like a bug, so I guess you had better take this
report to netfilter-devel with as much info as possible.

Could you also cat a full ip_conntrack to a temp file
and put it somewhere online to accompany your bugreport.

Reporting this to netfilter-devel doesn't guarantee that
you will get a quick solution to your problem
(your setup is quite different from most people's...),
but at least it could be put in the KNOWN-BUGS section
so someone could eventually get around to fixing this...

Regards,
Filip

On Tue, 2003-01-14 at 13:56, Amit Kumar Gupta wrote:
> 
> Hi List,
> 
> Again Posting the same question ON the list As I have tried many ways
> and didn't get any clues.
> 
> As soon as I ping from inhome to the RG's internal, It just keep filling
> the ip_conntrack file and it goes beyond ip_conntrack_max entries. I
> don't know why Internal address is not replying. 
> 
> If Any clues, Please Help.
> 
> Thanks & Regards,
> Amit
> 
> -----Original Message-----
> From: Amit Kumar Gupta 
> Sent: Saturday, January 11, 2003 10:37 AM
> To: Athan
> Cc: netfilter@lists.netfilter.org
> Subject: RE: Reg iptables Connection tracking
> 
> Hi,
> 
> I am using Embedix platform in which If I enable CONFIG_SYSCTL, the
> image doesn't come up on the H/w. So I have to disable this.( There has
> been some changes in the Kernel to suit this which works fine). Now in
> conntrack module I don't have this option so my conntrack ctl_table will
> not be registered woth ipv4 table. So I was hardcoding the value of
> ip_conntrack_max? Whether it will help?
> 
> Another issue is I don't have enough memory on the board to have sysctl
> command.
> 
> Can you suggest something which I can do?
> 
> Regards,
> Amit
> 
>