Re: early_drop() not working correctly?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Menno Smits <menno@netboxblue.com>
Cc: netfilter-devel <netfilter-devel@lists.netfilter.org>
Subject: Re: early_drop() not working correctly?
Date: Fri, 07 Jul 2006 06:07:53 +0200	[thread overview]
Message-ID: <44ADDE19.2030503@trash.net> (raw)
In-Reply-To: <44AD1D10.6000208@netboxblue.com>

Menno Smits wrote:
> Hi list,
> 
> At one customer site we have a situation where a netfilter box sees half
>  of some connections due to asymmetric routing. This causes lots of
> ESTABLISHED but unreplied connections to fill the conntrack table with
> long (5 day) timeouts. Eventually the table completely fills up. The
> "nf_conntrack: table full, dropping packet" message is reported, packets
>  are dropped and the customer starts complaining.
> 
> According to discussions with Patrick McHardy off list and my own
> examinations of the code, early_drop() should free up some of the
> conntrack table when the table is full by removing unreplied
> connections. In practice, this doesn't actually happen.
> 
> I've experimented with a similar setup in the office and I can
> consistently replicate the problem. I'm happy to describe my test setup
> if anyone is interested (it's a little complicated).

I suggest adding some debugging printks to early_drop that dump the
other members of the hash chain and their flag values (epecially
IPS_ASSURED). Or simply to unreplied(). That should exlain what's
going on.

next prev parent reply	other threads:[~2006-07-07  4:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-06 14:24 early_drop() not working correctly? Menno Smits
2006-07-06 14:41 ` Martijn Lievaart
2006-07-07  4:07 ` Patrick McHardy [this message]
2006-07-09 15:06 ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44ADDE19.2030503@trash.net \
    --to=kaber@trash.net \
    --cc=menno@netboxblue.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.