From: Michael Rash <mbr@cipherdyne.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Darrell A Escola <darrell-sg@descola.net>,
linux-kernel@vger.kernel.org, netfilter@lists.samba.org
Subject: Re: iptables in 2.4.10, 2.4.11pre6 problems
Date: Sun, 28 Oct 2001 11:45:00 -0500 [thread overview]
Message-ID: <20011028114500.A27656@orthanc.cipherdyne.com> (raw)
In-Reply-To: <1002646705.2177.9.camel@aurora> <Pine.LNX.4.33.0110091005540.209-100000@desktop> <20011010135503.4f5c06b9.rusty@rustcorp.com.au> <20011019061830.A8087@descola.net> <20011024142512.4f22ab17.rusty@rustcorp.com.au>
In-Reply-To: <20011024142512.4f22ab17.rusty@rustcorp.com.au>; from rusty@rustcorp.com.au on Wed, Oct 24, 2001 at 02:25:12PM +1000
On Oct 24, 2001, Rusty Russell wrote:
> On Fri, 19 Oct 2001 06:18:30 -0700
> Darrell A Escola <darrell-sg@descola.net> wrote:
>
> > I have been running 2.4.10-ac11 for 7 days now with
> > TCP_CONNTRACK_CLOSE_WAIT set to 120 seconds - this has stopped nearly
> > all firewall activity on established connections.
>
> OK... I think this needs changing then. Can everyone please try the following
> trivial patch and report any changes?
Running 2.4.4 with this patch for the past 4 days has reduced the number of
inappropriately dropped packets by ip_conntrack to nearly zero. The number
of legitimate packets that used to be dropped previous to running this patch
would sometimes reach into the low hundreds over the same time frame. (FWIW,
I have a cable modem connection to the 'net, and so it gets a bit slow from
time to time since my bandwidth is shared...).
--Mike
> diff -urN -I \$.*\$ --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal linux-2.4.12-official/net/ipv4/netfilter/ip_conntrack_proto_tcp.c working-2.4.12-tcptime/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> --- linux-2.4.12-official/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Sun Apr 29 06:17:11 2001
> +++ working-2.4.12-tcptime/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Wed Oct 24 14:23:26 2001
> @@ -55,7 +55,7 @@
> 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> - 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> + 2 MINS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> 2 MINS, /* TCP_CONNTRACK_LISTEN, */
> };
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
Michael B. Rash
http://www.cipherdyne.com
Key fingerprint = 8E40 0826 4BBD 9DAF 4563 695C AC21 A428 70C9 B006
next prev parent reply other threads:[~2001-10-28 16:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-09 16:58 iptables in 2.4.10, 2.4.11pre6 problems Trever L. Adams
2001-10-09 17:07 ` Jeffrey W. Baker
2001-10-09 17:30 ` Trever L. Adams
2001-10-09 18:31 ` Jeffrey W. Baker
2001-10-09 18:40 ` Trever L. Adams
2001-10-09 20:48 ` Jeffrey W. Baker
2001-10-09 22:00 ` Trever L. Adams
2001-10-09 22:46 ` Luigi Genoni
2001-10-09 22:49 ` Trever L. Adams
2001-10-09 23:02 ` Luigi Genoni
2001-10-09 23:05 ` Jeffrey W. Baker
2001-10-09 23:40 ` Luigi Genoni
2001-10-10 8:45 ` Sebastian Benoit
2001-10-10 3:55 ` Rusty Russell
2001-10-19 13:18 ` Darrell A Escola
2001-10-24 4:25 ` Rusty Russell
2001-10-28 16:45 ` Michael Rash [this message]
2001-10-09 17:40 ` Wilson
2001-10-09 18:43 ` Trever L. Adams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20011028114500.A27656@orthanc.cipherdyne.com \
--to=mbr@cipherdyne.com \
--cc=darrell-sg@descola.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter@lists.samba.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox