From: Pablo Neira <pablo@eurodev.net>
To: Herve Eychenne <rv@wallfire.org>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: ip_conntrack cleanup on reconnection?
Date: Sat, 10 Jul 2004 17:36:54 +0200 [thread overview]
Message-ID: <40F00D16.9040109@eurodev.net> (raw)
In-Reply-To: <20040710115729.GA2230@eychenne.org>
Hi Herve,
Herve Eychenne wrote:
>>Having a look at net/ip_MASQUARDE.c the ip_conntrack list should be empty
>>after a device was down (cleanup?), but
>>the list still is full of entries.
>>Shouldnt the list be empty or, at least rewritten with the new
>>ip-addresses?
>>
>>
>
>Yes, it should. During the last netfilter workshop, after one of my remarks,
>Rusty Russell wrote a patch to the MASQUERADE target which cleans the tables
>only if the address changes (before, they were cleaned
>unconditionnaly).
>I don't know when the patch was applied upstream in 2.4 or if it's related
>to your problem...
>
>
If I think that I observed a similar behaviour in 2.6, but using
DNAT/SNAT targets instead of MASQUERADE. Well, actually I'm not sure if
this exactly what you mean.
root@legba:/home/pablo# iptables -I POSTROUTING -t nat -j SNAT --to
192.168.30.30
root@legba:/home/pablo# telnet 192.168.0.44 80
Trying 192.168.0.44... ^c
root@legba:/home/pablo# cat /proc/net/ip_conntrack
tcp 6 114 SYN_SENT src=192.168.0.3 dst=192.168.0.44 sport=32779
dport=80 [UNREPLIED] src=192.168.0.44 dst=192.168.30.30 sport=80
dport=32779 use=1
^^^
root@legba:/home/pablo# iptables -D POSTROUTING -t nat -j SNAT --to
192.168.30.30
root@legba:/home/pablo# cat /proc/net/ip_conntrack
tcp 6 108 SYN_SENT src=192.168.0.3 dst=192.168.0.44 sport=32779
dport=80 [UNREPLIED] src=192.168.0.44 dst=192.168.30.30 sport=80
dport=32779 use=1
^^^
root@legba:/home/pablo# telnet 192.168.0.44 80
Trying 192.168.0.44...
root@legba:/home/pablo# cat /proc/net/ip_conntrack
tcp 6 2 SYN_SENT src=192.168.0.3 dst=192.168.0.44 sport=32779
dport=80 [UNREPLIED] src=192.168.0.44 dst=192.168.30.30 sport=80
dport=32779 use=1
^^^
tcp 6 106 SYN_SENT src=192.168.0.3 dst=192.168.0.44 sport=32780
dport=80 [UNREPLIED] src=192.168.0.44 dst=192.168.0.3 sport=80
dport=32780 use=1
^^^
I'll have a look at this issue (just for fun (tm)), I'll also look for
that Rusty's patch if someone doesn't post it to the list before. This
could generate a lot of established (for tcp) entries with a long
timeout but, it's also true that I don't usually remove NAT rules once
the box is configured.
regards,
Pablo
next prev parent reply other threads:[~2004-07-10 15:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-05 13:20 ip_conntrack cleanup on reconnection? Daimonion
2004-07-10 11:57 ` Herve Eychenne
2004-07-10 15:36 ` Pablo Neira [this message]
2004-07-11 2:06 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40F00D16.9040109@eurodev.net \
--to=pablo@eurodev.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rv@wallfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.