* nfconntrack and asymmetric routing
@ 2008-04-23 8:54 Marco Berizzi
2008-04-25 17:34 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2008-04-23 8:54 UTC (permalink / raw)
To: netfilter
Hi folks,
Unfortunately I have a linux firewall
which see half of packets because of a
bad designed network.
nfconntrack table is full of these entries:
ipv4 2 tcp 6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1
because netfilter never see the fin/rst
tcp packets.
They never expires and sometimes linux
logs these messages:
nf_conntrack: table full, dropping packet
Is there a way to tell netfilter to delete
these entries?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfconntrack and asymmetric routing
2008-04-23 8:54 nfconntrack and asymmetric routing Marco Berizzi
@ 2008-04-25 17:34 ` Jan Engelhardt
2008-04-25 19:24 ` Marco Berizzi
0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-04-25 17:34 UTC (permalink / raw)
To: Marco Berizzi; +Cc: netfilter
On Wednesday 2008-04-23 10:54, Marco Berizzi wrote:
>
>Unfortunately I have a linux firewall
>which see half of packets because of a
>bad designed network.
>nfconntrack table is full of these entries:
>
>ipv4 2 tcp 6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
>sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
>dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1
>
>because netfilter never see the fin/rst
>tcp packets.
>They never expires and sometimes linux
>logs these messages:
>
>nf_conntrack: table full, dropping packet
>
>Is there a way to tell netfilter to delete
>these entries?
Would not it be better to disable connection tracking for
the asymmetrically routed packets?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfconntrack and asymmetric routing
2008-04-25 17:34 ` Jan Engelhardt
@ 2008-04-25 19:24 ` Marco Berizzi
2008-04-25 19:28 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2008-04-25 19:24 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
Jan Engelhardt wrote:
>
> On Wednesday 2008-04-23 10:54, Marco Berizzi wrote:
>>
>>Unfortunately I have a linux firewall
>>which see half of packets because of a
>>bad designed network.
>>nfconntrack table is full of these entries:
>>
>>ipv4 2 tcp 6 431303 ESTABLISHED src=172.23.1.21 dst=82.9.69.137
>>sport=25 dport=4036 packets=2 bytes=256 [UNREPLIED] src=82.9.69.137
>>dst=172.23.1.21 sport=4036 dport=25 packets=0 bytes=0 mark=0 use=1
>>
>>because netfilter never see the fin/rst
>>tcp packets.
>>They never expires and sometimes linux
>>logs these messages:
>>
>>nf_conntrack: table full, dropping packet
>>
>>Is there a way to tell netfilter to delete
>>these entries?
>
> Would not it be better to disable connection tracking for
> the asymmetrically routed packets?
Is there a way to do it?
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-04-25 20:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-23 8:54 nfconntrack and asymmetric routing Marco Berizzi
2008-04-25 17:34 ` Jan Engelhardt
2008-04-25 19:24 ` Marco Berizzi
2008-04-25 19:28 ` Jan Engelhardt
2008-04-25 19:35 ` Grant Taylor
2008-04-25 20:33 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox