From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: TCP connection tracking timeout
Date: Tue, 29 Jul 2008 06:47:45 +0200 [thread overview]
Message-ID: <488EA0F1.2050906@trash.net> (raw)
In-Reply-To: <20080729030104.GA15915@gondor.apana.org.au>
[List address fixed - I assume netfilter-devel@lists.debian.org doesn't
exist :)]
Herbert Xu wrote:
> Hi:
>
> I've recently started keeping an eye on the number of connections
> in my router's conntrack table. It was sad to see so many TCP
> connections that have died long ago still lingering in it. We all
> know that wandering ghosts are bad :)
>
> Here's my proposal to lay them to rest once and for all. The
> obvious solution is to reduce the timeout. However, that runs
> afoul of idle connections. So the key is how do we tell an
> idle connection apart from a dead one.
>
> Actually it isn't too hard. The most common reason for a connection
> to die without sending FIN/RST is a retransmission timeout. For
> example in Linux we can enter FIN_WAIT_1 without even transmitting
> the actual FIN because of outstanding data before it. So if we
> tracked whether each connection has unacknowledged data then we
> will be able to easily distinguish them. In other words, we can
> drastically lower the timeout on a connection with data outstanding.
>
> The only trouble now is to find a sucker^H^H^H^H^H^Hvolunteer
> to implement this :)
>
That sounds like a pretty neat idea. I'm testing a patch now, I'll
send it over in a few minutes if it survives :)
next parent reply other threads:[~2008-07-29 4:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080729030104.GA15915@gondor.apana.org.au>
2008-07-29 4:47 ` Patrick McHardy [this message]
2008-07-29 5:00 ` TCP connection tracking timeout Patrick McHardy
2008-07-29 6:01 ` Herbert Xu
2008-07-29 6:13 ` Patrick McHardy
2008-07-29 9:07 ` Herbert Xu
2008-07-29 9:30 ` Herbert Xu
2008-07-29 12:30 ` Jozsef Kadlecsik
2008-07-29 13:34 ` Herbert Xu
2008-07-29 20:34 ` Jozsef Kadlecsik
2008-07-30 1:35 ` Herbert Xu
2008-07-30 21:18 ` Jozsef Kadlecsik
2008-07-31 12:19 ` Herbert Xu
2008-07-31 19:26 ` Jozsef Kadlecsik
2008-08-01 11:58 ` Herbert Xu
2008-07-29 12:20 ` Jozsef Kadlecsik
2008-07-30 10:07 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=488EA0F1.2050906@trash.net \
--to=kaber@trash.net \
--cc=herbert@gondor.apana.org.au \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.