nfconntrack and asymmetric routing

Linux Netfilter discussions
 help / color / mirror / Atom feed

* nfconntrack and asymmetric routing
@ 2008-04-23  8:54 Marco Berizzi
  2008-04-25 17:34 ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2008-04-23  8:54 UTC (permalink / raw)
  To: netfilter

Hi folks,

Unfortunately I have a linux firewall
which see half of packets because of a
bad designed network.
nfconntrack table is full of these entries:

ipv4     2 tcp      6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1

because netfilter never see the fin/rst
tcp packets.
They never expires and sometimes linux
logs these messages:

nf_conntrack: table full, dropping packet

Is there a way to tell netfilter to delete
these entries?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nfconntrack and asymmetric routing
  2008-04-23  8:54 nfconntrack and asymmetric routing Marco Berizzi
@ 2008-04-25 17:34 ` Jan Engelhardt
  2008-04-25 19:24   ` Marco Berizzi
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-04-25 17:34 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter


On Wednesday 2008-04-23 10:54, Marco Berizzi wrote:
>
>Unfortunately I have a linux firewall
>which see half of packets because of a
>bad designed network.
>nfconntrack table is full of these entries:
>
>ipv4     2 tcp      6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
>sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
>dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1
>
>because netfilter never see the fin/rst
>tcp packets.
>They never expires and sometimes linux
>logs these messages:
>
>nf_conntrack: table full, dropping packet
>
>Is there a way to tell netfilter to delete
>these entries?

Would not it be better to disable connection tracking for
the asymmetrically routed packets?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nfconntrack and asymmetric routing
  2008-04-25 17:34 ` Jan Engelhardt
@ 2008-04-25 19:24   ` Marco Berizzi
  2008-04-25 19:28     ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2008-04-25 19:24 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter

Jan Engelhardt wrote:
> 
> On Wednesday 2008-04-23 10:54, Marco Berizzi wrote:
>>
>>Unfortunately I have a linux firewall
>>which see half of packets because of a
>>bad designed network.
>>nfconntrack table is full of these entries:
>>
>>ipv4     2 tcp      6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
>>sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
>>dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1
>>
>>because netfilter never see the fin/rst
>>tcp packets.
>>They never expires and sometimes linux
>>logs these messages:
>>
>>nf_conntrack: table full, dropping packet
>>
>>Is there a way to tell netfilter to delete
>>these entries?
> 
> Would not it be better to disable connection tracking for
> the asymmetrically routed packets?

Is there a way to do it?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nfconntrack and asymmetric routing
  2008-04-25 19:24   ` Marco Berizzi
@ 2008-04-25 19:28     ` Jan Engelhardt
  2008-04-25 19:35       ` Grant Taylor
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-04-25 19:28 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter


On Friday 2008-04-25 21:24, Marco Berizzi wrote:
>>>Is there a way to tell netfilter to delete
>>>these entries?
>> 
>> Would not it be better to disable connection tracking for
>> the asymmetrically routed packets?
>
>Is there a way to do it?

-j NOTRACK.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nfconntrack and asymmetric routing
  2008-04-25 19:28     ` Jan Engelhardt
@ 2008-04-25 19:35       ` Grant Taylor
  2008-04-25 20:33         ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Grant Taylor @ 2008-04-25 19:35 UTC (permalink / raw)
  To: Mail List - Netfilter

On 4/25/2008 2:28 PM, Jan Engelhardt wrote:
> -j NOTRACK.

I believe this needs to be done in the RAW table before connection 
tracking hooks are called.



Grant. . . .

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nfconntrack and asymmetric routing
  2008-04-25 19:35       ` Grant Taylor
@ 2008-04-25 20:33         ` Jan Engelhardt
  0 siblings, 0 replies; 6+ messages in thread
From: Jan Engelhardt @ 2008-04-25 20:33 UTC (permalink / raw)
  To: Grant Taylor; +Cc: Mail List - Netfilter


On Friday 2008-04-25 21:35, Grant Taylor wrote:

> On 4/25/2008 2:28 PM, Jan Engelhardt wrote:
>> -j NOTRACK.
>
> I believe this needs to be done in the RAW table before connection tracking
> hooks are called.

I was implying that - manpage says so.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-04-25 20:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-23  8:54 nfconntrack and asymmetric routing Marco Berizzi
2008-04-25 17:34 ` Jan Engelhardt
2008-04-25 19:24   ` Marco Berizzi
2008-04-25 19:28     ` Jan Engelhardt
2008-04-25 19:35       ` Grant Taylor
2008-04-25 20:33         ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox