From: Robert L Mathews <lists@tigertech.com>
To: netfilter@vger.kernel.org
Subject: Re: conntrack and RSTs received during CLOSE_WAIT
Date: Sat, 16 May 2009 20:09:34 -0700 [thread overview]
Message-ID: <4A0F7FEE.3010405@tigertech.com> (raw)
In-Reply-To: <alpine.DEB.2.00.0905162348430.4156@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> The TCP session seems to be totally broken. After the client sends
>
> client > server [FIN,ACK] Seq=421 Ack=1449 Len=0
>
> it should send the RST packet with Seq=422 and not Seq=421. The RST
> segment won't be accepted by the server.
Okay. The client is definitely sending exactly that (I'm pretty sure
it's a SonicWall firewall). That explains why the connection stays in
the CLOSE_WAIT state according to netstat.
So the problem can be described as:
Some buggy clients send an out-of-sequence RST. When that happens,
conntrack forgets about the connection ten seconds later, even though
the TCP stack doesn't.
If nf_conntrack_tcp_loose is set to 0, this gives clients a trivial way
to bypass connlimit, because the client then has open connections that
aren't counted.
If nf_conntrack_tcp_loose is set to 1, subsequent packets sent more than
ten seconds later will result in conntrack seeing a new ESTABLISHED
connection. Unfortunately, if the subsequent packets were merely TCP
retransmits (which is likely), the "new connection" will not really
exist. Connlimit counts a nonexistent connection as being open for five
days until it times out.
Both of these outcomes are obviously undesirable. Any suggestions how to
avoid this, or to minimize the impact?
> And I don't get the server either: after sending Ack=422 it can't send
> Ack=421.
>
> Is it a real TCP session recording or a mistyped one?
You're right; that was a typo on my part, for which I apologize. I had
to retype it from Wireshark, and I copied the wrong line. The ten
retransmitted packets at the end do indeed send Ack=422, just as you say
they should.
(However, the client problem is not a typo. The client definitely did
send Seq=421 in the RST, which explains why netstat shows the connection
remaining in CLOSE_WAIT and why the server continues to retransmit packets.)
--
Robert L Mathews, Tiger Technologies http://www.tigertech.net/
next prev parent reply other threads:[~2009-05-17 3:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-15 22:10 conntrack and RSTs received during CLOSE_WAIT Robert L Mathews
2009-05-16 21:57 ` Jozsef Kadlecsik
2009-05-17 3:09 ` Robert L Mathews [this message]
2009-05-20 5:16 ` Robert L Mathews
2009-05-20 7:19 ` Jozsef Kadlecsik
2009-05-20 7:31 ` Philip Craig
2009-05-20 7:42 ` Jozsef Kadlecsik
2009-05-20 8:06 ` Philip Craig
2009-05-20 8:43 ` Jozsef Kadlecsik
2009-05-20 20:24 ` Robert L Mathews
2009-05-20 21:40 ` Jozsef Kadlecsik
2009-05-21 8:17 ` Anatoly Muliarski
2009-05-21 9:11 ` Jozsef Kadlecsik
2009-05-21 18:07 ` Robert L Mathews
2009-05-21 15:31 ` Jozsef Kadlecsik
2009-05-21 18:45 ` Robert L Mathews
2009-05-22 4:32 ` Anatoly Muliarski
2009-05-22 7:21 ` Jozsef Kadlecsik
2009-05-22 8:26 ` Anatoly Muliarski
2009-05-22 8:54 ` Jozsef Kadlecsik
2009-05-22 11:27 ` Jozsef Kadlecsik
2009-05-22 7:42 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A0F7FEE.3010405@tigertech.com \
--to=lists@tigertech.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.