Last patch-o-matic patches status report

Last patch-o-matic patches status report

[Samuel Díaz García]

Hi all, I want to report to mainteneers some issues with patch-o-matic patches.

Kernel: 2.6.15.3
Iptables: 1.3.5
Aditional patches applied: imq, nf-hipac, layer7
pom: LAST

Patches not mentioned here are applied fine or kernel included and not need pom 
patch.

Patches don't apply fine for any reason:
    MARK-operations
    ACCOUNT
    netfilter-docbook
    tproxy
    TRACE
    connrate
    conntrack_locking
    conntrackc_nonat
    goto
    ipsec-XXXXX
    nat-reservations
    owner-socketlookup

Patches that could be applied but broke kernel compilation (at least):
    talk-conntrack-nat

Patches that could be applied but broke iptables compilation (at least):
    expire

Patches that could be applied but have missing simbols in kernel (at least):
    IPV4OPTSSTRIP
    XOR

Patches that couldn't be applied into this kernel:
    condition (Somebody send me a kernel patch that could be used over 2.6.15.x 
kernel series before apply many pom patches).

Patches that could be applied but must be patched before compilation:
    mms-conntrack-nat (changing 2 lines in ip_conntrack_mms.c and 1 line in 
ip_nat_mms.c)

Patches that could be applied but must be disable from kernel before compilation 
(because they don't compile):
    IPV4OPTSSTRIP (from IPV4)
    expire (from IPV6)
    fuzzy (from IPV6)
    nth (from IPV6)
    random (from IPV6)
    rtsp-conntrack (from IPV4)
    XOR (from IPV4)
    quake3-conntrack-nat (from IPV4)

I only expect this report could be usefull for somebody who wants to use pom 
successfully.

Regards

P.D.: Sorry for my English.

-- 
    Samuel Díaz García
     Director Gerente
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz

http://www.arcoscom.com

mailto:samueldg@arcoscom.com
msn: samueldg@arcoscom.com

Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax:   956 70 34 83

Tuning NAT timeout values

[Stephen Jones]

Hello all,

I have run into a wall on this one.  I have need to change the default 
settings on NAT entries through a Linux 2.4.32/iptables 1.2.11 based 
firewall.  Multiple searches have lead me to believe that tuning NAT 
masquerade timeouts through iptables is not possible as it apparently 
was through ipchains/ipfwadm.

This document (and other similar linux NAT/MASQ howtos):

http://howtos.linux.com/guides/nag2/x-087-2-masq.configuration.shtml

State: "The iptables implementation uses much longer default timers and 
does not allow you to set them."  Or something meaning the same thing.

An old discussion about this:

http://www.cs.washington.edu/homes/bdferris/afs_conntrack_nat/index.html

leads me to believe that perhaps if this is possible, it will be through 
tuning the various core conntrack tcp/udp settings for the timeouts 
(e.g. ip_conntrack_udp_timeout_stream
ip_conntrack_tcp_timeout_close_wait
ip_conntrack_udp_timeout
ip_conntrack_tcp_timeout_close
ip_conntrack_tcp_timeout_time_wait
ip_conntrack_tcp_timeout_syn_sent
ip_conntrack_icmp_timeout
ip_conntrack_tcp_timeout_syn_recv
ip_conntrack_generic_timeout
ip_conntrack_tcp_timeout_last_ack
ip_conntrack_tcp_timeout_fin_wait
ip_conntrack_tcp_timeout_established)

Any guidance on this issue would be greatly appreciated!

SJ

Re: Tuning NAT timeout values

[ludi]

it maybe help you.
/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c
#define UDP_TIMEOUT (30*HZ)
#define UDP_STREAM_TIMEOUT (180*HZ)
To change these values you can set up the udp timeout values.

tcp

/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c:


static unsigned long tcp_timeouts[]
= { 30 MINS, /* TCP_CONNTRACK_NONE, */
5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
10 SECS, /* TCP_CONNTRACK_CLOSE, */
60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
2 MINS, /* TCP_CONNTRACK_LISTEN, */
};
I only find these , but I am not sure whether it work.

Re: Tuning NAT timeout values

[Stephen Jones]

ludi wrote:
> it maybe help you.
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c
> #define UDP_TIMEOUT (30*HZ)
> #define UDP_STREAM_TIMEOUT (180*HZ)
> To change these values you can set up the udp timeout values.
> 
> tcp
> 
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c:
> 
> 
> static unsigned long tcp_timeouts[]
> = { 30 MINS, /* TCP_CONNTRACK_NONE, */
> 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
> 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
> 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
> 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> 2 MINS, /* TCP_CONNTRACK_LISTEN, */
> };
> I only find these , but I am not sure whether it work.

Thanks for your reply ludi!  I saw those in the source code also, but I 
was hoping it would be safe to change them with something like this:

echo ### > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout

Where the ### is the desired value in seconds. Having to recompile 
sources everytime paramaters like this need to be changed would be 
inconvenient, to say the least. If that is the only way, then so be it. 
Thanks again for your reply!

SJ