* Asym. router has problems with full ip_conntrack table in 2.4.20
@ 2003-01-27 11:26 Christian Hammers
2003-01-27 11:40 ` Martin Josefsson
2003-01-27 12:24 ` Patrick Schaaf
0 siblings, 2 replies; 3+ messages in thread
From: Christian Hammers @ 2003-01-27 11:26 UTC (permalink / raw)
To: netfilter-devel
Hello
I use kernel 2.4.20 and iptables filter (no NAT or stateful filtering!) on
a router that is part of a large network and has many asymetric routes
i.e. inbound packages of some connections go over this host but replies
are send via another router. Therefore stateful packet filtering would
have no chance to get some kind of ESTABLISHED state or similar and is
completely disabled.
Now sadly the /proc/net/ip_conntrack still exists and slowly fills up,
which leads to the following message after a while of uptime:
ip_conntrack: table full, dropping packet.
The /proc/sys/net/ipv4/ip_conntrack_max exists, too.
I can play around with it but even "-1" or "0" do not seem to disable the
table, nor to flush it.
I have reboodet the maching already.
lsmod shows only the following (relevant), ipt_conntrack.o is
at least compiled and installed in /lib/modules/* although not loaded.
ipt_MARK 800 0 (autoclean)
iptable_mangle 2208 0 (autoclean)
ipt_LOG 3200 2 (autoclean)
iptable_filter 1760 1 (autoclean)
ip_tables 13184 4 [ipt_MARK iptable_mangle ipt_LOG iptable_filter]
I currently have:
lx01:/home/ch# wc -l /proc/net/ip_conntrack
25963 /proc/net/ip_conntrack
(all normal traffic, 99% in state [UNREPLIED] due to asymetric routing)
I can reproduce on my desktop machine that the /proc files are active
without having ipt_conntrack.o loaded and that I really have packet loss
when the tables fill up!
TIA & bye,
-christian-
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Strasse 10 Tel 0241/701333-11
ch@westend.com D-52064 Aachen Fax 0241/911879
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Asym. router has problems with full ip_conntrack table in 2.4.20
2003-01-27 11:26 Asym. router has problems with full ip_conntrack table in 2.4.20 Christian Hammers
@ 2003-01-27 11:40 ` Martin Josefsson
2003-01-27 12:24 ` Patrick Schaaf
1 sibling, 0 replies; 3+ messages in thread
From: Martin Josefsson @ 2003-01-27 11:40 UTC (permalink / raw)
To: Christian Hammers; +Cc: Netfilter-devel
On Mon, 2003-01-27 at 12:26, Christian Hammers wrote:
[big snip]
> I can reproduce on my desktop machine that the /proc files are active
> without having ipt_conntrack.o loaded and that I really have packet loss
> when the tables fill up!
ipt_conntrack != ip_conntrack
ipt_conntrack is a match to match on conntrack states.
ip_conntrack is the connectiontracking.
Remove ip_conntrack and all should be fine.
This isn't a development related issue, please post further problems on
this matter to netfilter@lists.netfilter.org
(and remove this list from the recipients)
(I'm sending my reply to the list you mailed just to let people know
that I've already answered your mail)
--
/Martin
Never argue with an idiot. They drag you down to their level, then beat you with experience.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Asym. router has problems with full ip_conntrack table in 2.4.20
2003-01-27 11:26 Asym. router has problems with full ip_conntrack table in 2.4.20 Christian Hammers
2003-01-27 11:40 ` Martin Josefsson
@ 2003-01-27 12:24 ` Patrick Schaaf
1 sibling, 0 replies; 3+ messages in thread
From: Patrick Schaaf @ 2003-01-27 12:24 UTC (permalink / raw)
To: Christian Hammers; +Cc: netfilter-devel
> I use kernel 2.4.20 and iptables filter (no NAT or stateful filtering!) on
> a router that is part of a large network and has many asymetric routes
> i.e. inbound packages of some connections go over this host but replies
> are send via another router. Therefore stateful packet filtering would
> have no chance to get some kind of ESTABLISHED state or similar and is
> completely disabled.
ESTABLISHED is reached unidirectional, as soon as a packet successfully
passes through your box. If the return direction is completely different,
then those conntrack entries won't be ASSURED, and will be preferentially
reaped when the tracking table is full.
> Now sadly the /proc/net/ip_conntrack still exists and slowly fills up,
Can you characterize what kinds of connections fill up the table?
The normal timeouts should still apply, and I _think_ that the
TCP state engine should work, too (i.e. properly terminated
TCP connections should be flushed in short time, once the FINs
are seen).
Somebody please correct me loudly, if that is not true.
However, you appear to not want conntracking at all. You write:
> lsmod shows only the following (relevant), ipt_conntrack.o is
> at least compiled and installed in /lib/modules/* although not loaded.
> ipt_MARK 800 0 (autoclean)
> iptable_mangle 2208 0 (autoclean)
> ipt_LOG 3200 2 (autoclean)
> iptable_filter 1760 1 (autoclean)
> ip_tables 13184 4 [ipt_MARK iptable_mangle ipt_LOG iptable_filter]
>
> I currently have:
> lx01:/home/ch# wc -l /proc/net/ip_conntrack
> 25963 /proc/net/ip_conntrack
> (all normal traffic, 99% in state [UNREPLIED] due to asymetric routing)
You CANNOT have /proc/net/ip_conntrack if ip_conntrack.o is a module,
and not loaded. Thus, it is almost certain that the kernel you run,
has ip_conntrack compiled in. Please check the boot messages; there
should be a mention of "ip_conntrack", which also tells you the
boottime ip_conntrack_max selection.
best regards
Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-27 12:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-27 11:26 Asym. router has problems with full ip_conntrack table in 2.4.20 Christian Hammers
2003-01-27 11:40 ` Martin Josefsson
2003-01-27 12:24 ` Patrick Schaaf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.