From: Matthew Schumacher <matt.s@aptalaska.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@lists.netfilter.org
Subject: Re: ip_conntrack table is full with razor requests. Something isn't timing out.
Date: Wed, 02 Mar 2005 09:58:58 -0900 [thread overview]
Message-ID: <42260CF2.4080404@aptalaska.net> (raw)
In-Reply-To: <Pine.LNX.4.58.0503020853460.16314@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> Hi,
>
> On Tue, 1 Mar 2005, Matthew Schumacher wrote:
>
>
>>Since upgrading to 2.6.10 I have been having problems with my
>>ip_conntrack table filling up. It appears it is full of razor
>>(http://razor.sf.net) requests from my internal mail server.
>>
>>I raised the ip_conntrack_max to 8192 and there are only a few hosts
>>behind nat so I am certain something isn't getting flushed out.
>>
>>How do I go about diagnosing this. What specifically does ip_conntrack
>>need to see in the tcp session to mark the session as expired in the table?
>
>
> Run tcpdump and record at least one full session of the razor traffic.
> Best is if you capture the traffic on both side of the firewall in order
> to make sure nothing got lost. Collect anything relevant from the
> kernel log file and attach the /proc/net/ip_conntrack lines referring to
> the session. Post the collected data and then we can start to hunt down
> the reason of the problem.
>
Jozsef,
Here is the relevant part of the dump:
10:15:34.144668 IP 66.151.150.24.2703 > 64.4.232.33.54120: P 37:47(10)
ack 78 win 5840
10:15:34.147076 IP 64.4.232.33.54120 > 66.151.150.24.2703: . ack 47 win
49640
10:15:34.151703 IP 64.4.232.33.54120 > 66.151.150.24.2703: P 78:83(5)
ack 47 win 49640
10:15:34.153156 IP 64.4.232.33.54120 > 66.151.150.24.2703: F 83:83(0)
ack 47 win 49640
10:15:34.217685 IP 66.151.150.24.2703 > 64.4.232.33.54120: . ack 83 win 5840
10:15:34.256491 IP 66.151.150.24.2703 > 64.4.232.33.54120: . ack 84 win 5840
10:15:34.311607 IP 66.151.150.24.2703 > 64.4.232.33.54120: R 47:47(0)
ack 84 win 5840
Since there is a ACK before the RST it is safe to assume that the bug
documented at
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
was the problem.
Since kernel 2.6.11 came out this morning, and the bug fix appears in
the changelog, I went ahead and upgraded and the problems are resolved.
If you would like more information then let me know, but at this point,
I think it's safe to say that this bug is squashed.
schu
prev parent reply other threads:[~2005-03-02 18:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-01 17:32 ip_conntrack table is full with razor requests. Something isn't timing out Matthew Schumacher
2005-03-01 22:26 ` Michael Tautschnig
2005-03-01 23:47 ` Matthew Schumacher
2005-03-02 10:14 ` KOVACS Krisztian
2005-03-02 17:15 ` Michael Tautschnig
2005-03-02 7:59 ` Jozsef Kadlecsik
2005-03-02 18:58 ` Matthew Schumacher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42260CF2.4080404@aptalaska.net \
--to=matt.s@aptalaska.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.