Re: another conntrack table query

Re: another conntrack table query

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

On Fri, Jan 31, 2003 at 08:05:26PM +0530, Nimit Gupta wrote:
> hello,
> 	one more thing on what basis the time for UNREPLIED entries gets
> reset? is there a link where such things are explained in detail?

You might want to read [1]. They get kicked out as soon as the conntrack-table
becomes full. 

HTH, Alex.

[1] http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.16
 

-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]

Re: another conntrack table query

[Alexander W. Janssen]

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

On Fri, Jan 31, 2003 at 08:05:26PM +0530, Nimit Gupta wrote:
> hello,
> 	one more thing on what basis the time for UNREPLIED entries gets
> reset? is there a link where such things are explained in detail?
 
You might want to read [1]. They get kicked out as soon as the conntrack-table
becomes full.

HTH, Alex.

[1] http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.16


-- 
"Mr Data, when I said 'Fire at Will', I didn't mean for you to be so literal."
Instructions for use of this post: Insert tounge in cheek. Read as normal.

[-- Attachment #2: Type: application/pgp-signature, Size: 248 bytes --]

another conntrack table query

[Nimit Gupta]

hello,
	can somebody point me to a link or answer why does the conntrack table
keeps the entry for connections marked as TIME_WAIT, and if it is not so
useful how can i remove them as soon as the connection finishes.

with regards,
nimit.

Re: another conntrack table query

[Athan]

[-- Attachment #1: Type: text/plain, Size: 971 bytes --]

On Fri, Jan 31, 2003 at 04:10:23PM +0530, Nimit Gupta wrote:
> hello,
> 	can somebody point me to a link or answer why does the conntrack table
> keeps the entry for connections marked as TIME_WAIT, and if it is not so
> useful how can i remove them as soon as the connection finishes.

  My guess would be because it is still waiting for the remote end to
fully close the connection.  This means there's the possibility of
further packets getting sent to that local ip:port.  If you delete the
entry and the port gets reused you'll possibly have two remote ip:port's
both trying to send traffic to the same local ip:port and causing
erroneous RSTs of the connection.

  Or something like that.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: another conntrack table query

[Nimit Gupta]

hello,
	one more thing on what basis the time for UNREPLIED entries gets
reset? is there a link where such things are explained in detail?


thanks for your help.

with regards,
nimit.

On Fri, 31 Jan 2003, Athan wrote:

> On Fri, Jan 31, 2003 at 04:10:23PM +0530, Nimit Gupta wrote:
> > hello,
> > 	can somebody point me to a link or answer why does the conntrack table
> > keeps the entry for connections marked as TIME_WAIT, and if it is not so
> > useful how can i remove them as soon as the connection finishes.
>
>   My guess would be because it is still waiting for the remote end to
> fully close the connection.  This means there's the possibility of
> further packets getting sent to that local ip:port.  If you delete the
> entry and the port gets reused you'll possibly have two remote ip:port's
> both trying to send traffic to the same local ip:port and causing
> erroneous RSTs of the connection.
>
>   Or something like that.
>
> -Ath