conntrack question - what happens after timeout?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* conntrack question - what happens after timeout?
@ 2005-11-21  9:37 Daniel Sievers
  2005-11-23  5:55 ` Philip Craig
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel Sievers @ 2005-11-21  9:37 UTC (permalink / raw)
  To: netfilter

Hi,

since recently we have had some problems with the conntrack table
growing too large and thus I experimented with lowering
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
from 5 days to a couple of hours.

One thing I am still curious about though:
What happens after established connections timeout if packets arrive
which still belong to that connection? Do they get dropped automatically
by netfilter or do I have to set up a rule to accomplish this?

In other words: Is the conntrack code merely about managing a table with
connection states that gets used e.g. in the NAT code and can be used to
query the state of connections in iptables rules or does it perform
stateful inspection itself and (based on that) packet dropping etc. too?

Thanks for your help.
-Daniel

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: conntrack question - what happens after timeout?
  2005-11-21  9:37 conntrack question - what happens after timeout? Daniel Sievers
@ 2005-11-23  5:55 ` Philip Craig
  0 siblings, 0 replies; 2+ messages in thread
From: Philip Craig @ 2005-11-23  5:55 UTC (permalink / raw)
  To: Daniel Sievers; +Cc: netfilter

On 11/21/2005 07:37 PM, Daniel Sievers wrote:
> since recently we have had some problems with the conntrack table
> growing too large and thus I experimented with lowering
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
> from 5 days to a couple of hours.

Perhaps increasing your memory to match the workload is a better solution.

> One thing I am still curious about though:
> What happens after established connections timeout if packets arrive
> which still belong to that connection? Do they get dropped automatically
> by netfilter or do I have to set up a rule to accomplish this?

The packets will not match any existing conntrack, and so a new
conntrack will be created.  If you want to drop these packets,
then you will need a rule such as:

iptables -A FORWARD -p tcp ! --syn -m conntrack --cstate NEW -j DROP

Note that a conntrack state of NEW does not imply that the SYN flag is set.

> In other words: Is the conntrack code merely about managing a table with
> connection states that gets used e.g. in the NAT code and can be used to
> query the state of connections in iptables rules or does it perform
> stateful inspection itself and (based on that) packet dropping etc. too?

The conntrack code determines whether the packet belongs to a
NEW or ESTABLISHED conntrack etc.  Whether packets are dropped based
on that state is entirely up to the iptables rules.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-11-23  5:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-21  9:37 conntrack question - what happens after timeout? Daniel Sievers
2005-11-23  5:55 ` Philip Craig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox