From: Giovanni Cardone <g_cardone@libero.it>
To: netfilter@lists.samba.org
Subject: conntrack problems
Date: Tue, 4 Jun 2002 12:24:34 +0200 [thread overview]
Message-ID: <20020604122434.A667@rainbow> (raw)
Hi, on a dial-up(56k) machine I'm looking at iptables 1.2.6a with both kernel
2.4.13 and 2.4.18. It's 1 months that I'm having troubles with the conntrack.
I have a lot of packets like 'new not syn'(you know what I'm talking about..)
with some combos of flags on them:
ACK FIN
ACK PSH FIN
ACK RST
ACK only
They come from connections with web servers like Google.com,
SecurityFocus.com and so on and from news server like
Powernews.libero.it(Libero is one of the biggest provider in Italy). So, I
suspect that, because I've found only few cases like mine, those ones aren't
broken at all :)
I think the problem is in my conntrack that loss some(a lot...) of packets.
I've used some scripts for the iptables configuration, but it always happen.
then, I read about a patch from Rusty some month ago that increase one of the
timeouts in the kernel source(It was the TCP_CONNTRACK_CLOSE_WAIT timeout from
60 SECS to 2 MINS). I got it but nothing change. Then, I was thinking it could
be really a problem with timeouts, especially because this machine have a poor
dial-up access to the Net and it often goes sooo slow...
So I did this: I run tcpdump and capture some sessions that presents the loss
of packest trouble. Then I looked at those 'lossed packets' and I noticed that
the 'arrival time' of the losed packets had a distance with the one that
precede it(and that was traced correctly by iptables) of circa 12-14
SECS(never more than that). I mean:
arrival time type
............ traced packet
18.24.23.4456 traced packet
18.24.35.5678 losed packets
-------------
12 secs
Then I looked into the kernel source for a timeout that match my(stupid)
thought. I've found TCP_CONNTRACK_CLOSE with 10 SECS, and I changed this to 2
MINS. Initially it seems(yep, <cite>I have a dream...</cite> :) to me that the
losed packets decrements, but these days I receive costantly a lot of them.
With no other ideas, I've played a little with the timeouts, increasing them
like this
5 MINS, /* TCP_CONNTRACK_CLOSE_WAIT */,
1 MINS, /* TCP_CONNTRACK_LAST_ACK, */
because I was thinking that maybe the 56k goes really slow some times but I
can't see good results :(
So I tried with this stupid methods, have you any advice at this? What it
could be? And then, I tried to add the tcp-window-tracking patch(the one in
iptables-1.2.6a) by Jozsef Kadlecsik on both 2.4.13 and 2.4.18 but it fails to
apply :( What version of iptables(maybe 1.2.7 ???) is known to work properly
with 2.4.18 at this time? Maybe a new kernel? What I've to download?
Many thanks for your patience in advice
next reply other threads:[~2002-06-04 10:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-04 10:24 Giovanni Cardone [this message]
2002-06-04 13:34 ` alternate tables and ipv6 Gabriel Paues
2002-06-05 21:36 ` Andras Kis-Szabo
2002-06-06 8:20 ` Gabriel Paues
2002-06-05 21:19 ` conntrack problems Nick Drage
2002-06-05 21:36 ` Tom Eastep
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020604122434.A667@rainbow \
--to=g_cardone@libero.it \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.