* libnetfilter_conntrack 0.0.81 release
@ 2007-07-28 12:38 Pablo Neira Ayuso
2007-07-30 6:08 ` delete conntrack entry - how m2
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2007-07-28 12:38 UTC (permalink / raw)
To: netfilter-announce, netfilter, Netfilter Development Mailinglist; +Cc: lwn
[-- Attachment #1: Type: text/plain, Size: 632 bytes --]
Hi!
The netfilter project proudly presents libnetfilter_conntrack-0.0.81
libnetfilter_conntrack is a userspace library providing a programming
interface (API) to the in-kernel connection tracking state table.
This release includes minor changes and bugfixes. See ChangeLog for more
details. Upgrade is recommended.
You can download it from:
http://www.netfilter.org/projects/libnetfilter_conntrack/
ftp://ftp.netfilter.org/pub/libnetfilter_conntrack/
Pablo (on behalf of the Netfilter Project)
--
"Será preciso viajar a través de los ojos de los idiotas" -- Poeta en
Nueva York -- Federico García Lorca.
[-- Attachment #2: ChangeLog --]
[-- Type: text/plain, Size: 345 bytes --]
libnetfilter_conntrack 0.0.81
======================================================================
Changes from 0.0.80:
- add layer 4 protocol comparison to nfct_compare()
[Pablo Neira Ayuso]
- introduce nfct_nfnlh() to use functions like nfnl_rcvbufsiz()
[Pablo Neira Ayuso]
- remove unused build_id() from build.c
[Pablo Neira Ayuso]
^ permalink raw reply [flat|nested] 7+ messages in thread
* delete conntrack entry - how
2007-07-28 12:38 libnetfilter_conntrack 0.0.81 release Pablo Neira Ayuso
@ 2007-07-30 6:08 ` m2
2007-07-30 6:22 ` m2
2007-07-30 11:32 ` fd4
2 siblings, 0 replies; 7+ messages in thread
From: m2 @ 2007-07-30 6:08 UTC (permalink / raw)
To: netfilter
hi,
I want to delete this stale conntrack entry:
conntrack -L
tcp 6 259996 ESTABLISHED src=85.214.110.62
dst=217.199.190.234 sport=44895 dport=80 packets=1 bytes=40 [UNREPLIED]
src=217.199.190.234 dst=85.214.110.62 sport=80 dport=44895 packets=0
bytes=0 mark=0 use=1
iptstate shows:
Source Destination Proto State TTL
85.214.110.62:44895 217.199.190.234:80 tcp ESTABLISHED 72:10:59
so I dont want to wait 72 hours more;
I've already reduced some values,
e.g.
echo 216000
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
but the connection was already EST
an example for deleteing such an entry within the man page would be fine
Regards
^ permalink raw reply [flat|nested] 7+ messages in thread
* delete conntrack entry - how
2007-07-28 12:38 libnetfilter_conntrack 0.0.81 release Pablo Neira Ayuso
2007-07-30 6:08 ` delete conntrack entry - how m2
@ 2007-07-30 6:22 ` m2
2007-07-30 11:32 ` fd4
2 siblings, 0 replies; 7+ messages in thread
From: m2 @ 2007-07-30 6:22 UTC (permalink / raw)
To: netfilter
hi,
I want to delete this stale conntrack entry:
conntrack -L
tcp 6 259996 ESTABLISHED src=85.214.110.62
dst=217.199.190.234 sport=44895 dport=80 packets=1 bytes=40 [UNREPLIED]
src=217.199.190.234 dst=85.214.110.62 sport=80 dport=44895 packets=0
bytes=0 mark=0 use=1
iptstate shows:
Source Destination Proto State TTL
85.214.110.62:44895 217.199.190.234:80 tcp ESTABLISHED 72:10:59
so I dont want to wait 72 hours more;
I've already reduced some values,
e.g.
echo 216000
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
but the connection was already EST
an example for deleteing such an entry within the man page would be fine
Regards
--
. ___
| | Irmund Thum
| | +49 6374 992542
+49 163 9889576
^ permalink raw reply [flat|nested] 7+ messages in thread
* delete conntrack entry - how
2007-07-28 12:38 libnetfilter_conntrack 0.0.81 release Pablo Neira Ayuso
2007-07-30 6:08 ` delete conntrack entry - how m2
2007-07-30 6:22 ` m2
@ 2007-07-30 11:32 ` fd4
2007-07-30 14:12 ` fd4
2007-08-11 7:38 ` ip_conntrack growing indefinitely fd4
2 siblings, 2 replies; 7+ messages in thread
From: fd4 @ 2007-07-30 11:32 UTC (permalink / raw)
To: netfilter
hi,
I want to delete this stale conntrack entry:
conntrack -L
tcp 6 259996 ESTABLISHED src=85.214.110.62
dst=217.199.190.234 sport=44895 dport=80 packets=1 bytes=40 [UNREPLIED]
src=217.199.190.234 dst=85.214.110.62 sport=80 dport=44895 packets=0
bytes=0 mark=0 use=1
iptstate shows:
Source Destination Proto State TTL
85.214.110.62:44895 217.199.190.234:80 tcp ESTABLISHED 72:10:59
so I dont want to wait 72 hours more;
I've already reduced some values,
e.g.
echo 216000
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
but the connection was already EST
an example for deleteing such an entry within the man page would be fine
Regards
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: delete conntrack entry - how
2007-07-30 11:32 ` fd4
@ 2007-07-30 14:12 ` fd4
2007-08-11 7:38 ` ip_conntrack growing indefinitely fd4
1 sibling, 0 replies; 7+ messages in thread
From: fd4 @ 2007-07-30 14:12 UTC (permalink / raw)
To: netfilter
> an example for deleteing such an entry within the man page would be fine
maybe this one (thanks to a readers help :-)
conntrack -D [conntrack] -s 172.16.31.31 -d 172.16.31.255 -p udp --orig-port-src 138 --orig-port-dst 138
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ip_conntrack growing indefinitely
2007-07-30 11:32 ` fd4
2007-07-30 14:12 ` fd4
@ 2007-08-11 7:38 ` fd4
2007-08-11 8:04 ` Eric Leblond
1 sibling, 1 reply; 7+ messages in thread
From: fd4 @ 2007-08-11 7:38 UTC (permalink / raw)
To: netfilter
> For now it has been patched setting ip_conntrack_max to 65536 but
> connections still grow indefinitely (seems NAT never drops old
> connections). Any idea of the reasons? Could be related with the kernel
> version (2 years old) we're running?
I've a similar phenomen using kernel 2.6.18-4-vserver-686 :
conntrack -L|wc -l
3340
nearly all started at a similar time from two ports to random
example iptstate:
Source Destination Proto State TTL
1.2.3.4:42573 1.2.3.4:842 tcp ESTABLISHED 10:44:43
1.2.3.4:42574 1.2.3.4:1501 tcp ESTABLISHED 10:43:51
1.2.3.4:42573 1.2.3.4:1392 tcp ESTABLISHED 10:43:20
well :- on my wish list now something like that:
conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573 --orig-port-dst *
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ip_conntrack growing indefinitely
2007-08-11 7:38 ` ip_conntrack growing indefinitely fd4
@ 2007-08-11 8:04 ` Eric Leblond
0 siblings, 0 replies; 7+ messages in thread
From: Eric Leblond @ 2007-08-11 8:04 UTC (permalink / raw)
To: fd4; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Le Sat, 11 Aug 2007 09:38:08 +0200,
fd4 <fd4@itsec4u.de> a écrit :
> > For now it has been patched setting ip_conntrack_max to 65536 but
>
> well :- on my wish list now something like that:
> conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573
> --orig-port-dst *
You should try this:
http://software.inl.fr/trac/trac.cgi/wiki/pynetfilter_conntrack
It does exactly what you want.
BR,
- --
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGvW2PnxA7CdMWjzIRAn4xAJsFD/7db/FCNw6iwTByznnY5PDpdACfdegE
pslZiNpAY6TtqT0F0Iw4HTw=
=6G59
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-08-11 8:04 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-28 12:38 libnetfilter_conntrack 0.0.81 release Pablo Neira Ayuso
2007-07-30 6:08 ` delete conntrack entry - how m2
2007-07-30 6:22 ` m2
2007-07-30 11:32 ` fd4
2007-07-30 14:12 ` fd4
2007-08-11 7:38 ` ip_conntrack growing indefinitely fd4
2007-08-11 8:04 ` Eric Leblond
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox