Re: [Fwd: Question with printk warnings in ip_conntrack with 2.4.20.]

Re: [Fwd: Question with printk warnings in ip_conntrack with 2.4.20.]

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

> Nov 29 03:29:26 lucidpixels kernel: ip_conntrack: max number of expected 
> connections 1 of ftp reached for 192.168.xxx.xxx->129.128.5.191, reusing
> Nov 29 03:29:30 lucidpixels kernel: ip_conntrack: max number of expected 
> connections 1 of ftp reached for 192.168.xxx.xxx->129.132.7.170, reusing
> Nov 29 03:29:36 lucidpixels kernel: ip_conntrack: max number of expected 
> connections 1 of ftp reached for 192.168.xxx.xxx->195.113.31.123, reusing
> 
> These fill up my logs (kern.info) which I use for logging iptables 
> blocked packets.

the issue is that somebody is doing something very strange to your ftp
server.  Inside an FTP session, there's always only one expectation,
since there is only one unestablished data session per control session
at any given point in time.

> Is there anyway to turn this feature off dynamically or should one just 
> comment out line #970 in 
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_core.c ?

feel free to remove the comment.  but in normal ftp protocol behaviour,
the lines above should never be printed.

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [Fwd: Question with printk warnings in ip_conntrack with 2.4.20.]

[jpiszcz]

  Stange?  I am just using vcheck (perl script) that goes out and checks 
out software for the latest versions.

Here is an example of what happens when I run it:
http://www.tu-ilmenau.de/~gomar/stuff/vcheck/

All it does is goes out to http/ftps site, matches a regex to check for 
the latest version of whatever you have, ie: sample entry:

prog util-linux = {
  version   = 2.11y
  urgency   = high
  dl        = no
  lastcheck = "2002-12-05 06:07"
  url       = 
ftp://ftp.win.tue.nl/pub/home/aeb/linux-local/utils/util-linux/
  regex     = util-linux-(__VER__)\.tar
}

This program is very useful and those warnings highly annoying. :)
Will there possibly be a /proc or kernel config option for warnings such 
as these?


Dec  5 18:20:23 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->199.232.41.7, reusing
Dec  5 18:20:25 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->204.214.92.161, reusing
Dec  5 18:20:27 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->209.249.29.67, reusing
Dec  5 18:20:30 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->209.249.29.67, reusing
Dec  5 18:20:35 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->195.37.77.171, reusing
Dec  5 18:21:00 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->216.180.224.6, reusing
Dec  5 18:21:06 lucidpixels kernel: BLOCK: IN=eth1 OUT= 
MAC=00:a0:24:05:eb:87:00:c0:7b:b1:8d:3b:08:00 SRC=130.239.18.137 
DST=66.45.37.187 LEN=1500 TOS=0x00 PREC=0x00 TTL=232 ID=47301 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
Dec  5 18:21:18 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->130.239.18.137, reusing
Dec  5 18:21:29 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->130.239.18.137, reusing
Dec  5 18:21:38 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->195.40.6.41, reusing
Dec  5 18:21:42 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->204.80.150.47, reusing
Dec  5 18:21:44 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->199.232.41.7, reusing
Dec  5 18:21:47 lucidpixels kernel: BLOCK: IN=eth1 OUT= 
MAC=00:a0:24:05:eb:87:00:c0:7b:b1:8d:3b:08:00 SRC=130.239.18.137 
DST=66.45.37.187 LEN=1500 TOS=0x00 PREC=0x00 TTL=232 ID=28140 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=2
Dec  5 18:21:57 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->199.232.41.7, reusing
Dec  5 18:22:20 lucidpixels last message repeated 3 times
Dec  5 18:22:21 lucidpixels kernel: BLOCK: IN=eth1 OUT= 
MAC=00:a0:24:05:eb:87:00:c0:7b:b1:8d:3b:08:00 SRC=130.239.18.173 
DST=66.45.37.187 LEN=1500 TOS=0x00 PREC=0x00 TTL=232 ID=48463 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
Dec  5 18:22:25 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->130.239.18.173, reusing
Dec  5 18:22:34 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->130.239.18.137, reusing
Dec  5 18:22:36 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->199.232.41.7, reusing
Dec  5 18:22:42 lucidpixels kernel: ip_conntrack: max number of expected 
connections 1 of ftp reached for 192.168.168.12->143.239.1.60, reusing
Dec  5 18:22:43 lucidpixels kernel: BLOCK: IN=eth1 OUT= 
MAC=00:a0:24:05:eb:87:00:c0:7b:b1:8d:3b:08:00 SRC=130.239.18.173 
DST=66.45.37.187 LEN=1500 TOS=0x00 PREC=0x00 TTL=232 ID=63220 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=2

Harald Welte wrote:

>>Nov 29 03:29:26 lucidpixels kernel: ip_conntrack: max number of expected 
>>connections 1 of ftp reached for 192.168.xxx.xxx->129.128.5.191, reusing
>>Nov 29 03:29:30 lucidpixels kernel: ip_conntrack: max number of expected 
>>connections 1 of ftp reached for 192.168.xxx.xxx->129.132.7.170, reusing
>>Nov 29 03:29:36 lucidpixels kernel: ip_conntrack: max number of expected 
>>connections 1 of ftp reached for 192.168.xxx.xxx->195.113.31.123, reusing
>>
>>These fill up my logs (kern.info) which I use for logging iptables 
>>blocked packets.
>>    
>>
>
>the issue is that somebody is doing something very strange to your ftp
>server.  Inside an FTP session, there's always only one expectation,
>since there is only one unestablished data session per control session
>at any given point in time.
>
>  
>
>>Is there anyway to turn this feature off dynamically or should one just 
>>comment out line #970 in 
>>/usr/src/linux/net/ipv4/netfilter/ip_conntrack_core.c ?
>>    
>>
>
>feel free to remove the comment.  but in normal ftp protocol behaviour,
>the lines above should never be printed.
>
>  
>

Re: [Fwd: Question with printk warnings in ip_conntrack with 2.4.20.]

[Jozsef Kadlecsik]

On Thu, 5 Dec 2002, jpiszcz wrote:

> Stange?  I am just using vcheck (perl script) that goes out and checks
> out software for the latest versions.

If the script uses active mode FTP and when that is refused by the server
reverts back to passive mode, that is a natural explanation for such log
entries.

Could you record by tcpdump at least one such FTP session?

> Will there possibly be a /proc or kernel config option for warnings such
> as these?

In my opinion a new directory tree /proc/sys/net/ipv4/netfilter is
required so that tuning options could be easily added to the system.
But that implies backward (in)compatibily issues...

Regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [Fwd: Question with printk warnings in ip_conntrack with 2.4.20.]

[jpiszcz]

Sure:

http://installkernel.tripod.com/tcpdump.log.bz2

Jozsef Kadlecsik wrote:

>On Thu, 5 Dec 2002, jpiszcz wrote:
>
>  
>
>>Stange?  I am just using vcheck (perl script) that goes out and checks
>>out software for the latest versions.
>>    
>>
>
>If the script uses active mode FTP and when that is refused by the server
>reverts back to passive mode, that is a natural explanation for such log
>entries.
>
>Could you record by tcpdump at least one such FTP session?
>
>  
>
>>Will there possibly be a /proc or kernel config option for warnings such
>>as these?
>>    
>>
>
>In my opinion a new directory tree /proc/sys/net/ipv4/netfilter is
>required so that tuning options could be easily added to the system.
>But that implies backward (in)compatibily issues...
>
>Regards,
>Jozsef
>-
>E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
>PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
>Address : KFKI Research Institute for Particle and Nuclear Physics
>          H-1525 Budapest 114, POB. 49, Hungary
>
>
>
>  
>