Re: conntrack question - what happens after timeout?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Daniel Sievers <sievers@hilton.rwth-aachen.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: conntrack question - what happens after timeout?
Date: Wed, 23 Nov 2005 15:55:34 +1000	[thread overview]
Message-ID: <43840456.1000002@snapgear.com> (raw)
In-Reply-To: <43819555.9030005@hilton.rwth-aachen.de>

On 11/21/2005 07:37 PM, Daniel Sievers wrote:
> since recently we have had some problems with the conntrack table
> growing too large and thus I experimented with lowering
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
> from 5 days to a couple of hours.

Perhaps increasing your memory to match the workload is a better solution.

> One thing I am still curious about though:
> What happens after established connections timeout if packets arrive
> which still belong to that connection? Do they get dropped automatically
> by netfilter or do I have to set up a rule to accomplish this?

The packets will not match any existing conntrack, and so a new
conntrack will be created.  If you want to drop these packets,
then you will need a rule such as:

iptables -A FORWARD -p tcp ! --syn -m conntrack --cstate NEW -j DROP

Note that a conntrack state of NEW does not imply that the SYN flag is set.

> In other words: Is the conntrack code merely about managing a table with
> connection states that gets used e.g. in the NAT code and can be used to
> query the state of connections in iptables rules or does it perform
> stateful inspection itself and (based on that) packet dropping etc. too?

The conntrack code determines whether the packet belongs to a
NEW or ESTABLISHED conntrack etc.  Whether packets are dropped based
on that state is entirely up to the iptables rules.

     prev parent reply	other threads:[~2005-11-23  5:55 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-21  9:37 conntrack question - what happens after timeout? Daniel Sievers
2005-11-23  5:55 ` Philip Craig [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43840456.1000002@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=sievers@hilton.rwth-aachen.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.