RE: Ping in ESTABLISHED

["Gilad Benjamini" <gilad.benjamini@gmail.com>]

So you are saying that once a single ECHO REPLY does not arrive, the
connection will go into ESTABLISHED and all further pings, request or reply,
will be considered part of this connection ?
Seems to match my scenario.
Can you point me to the relevant places in the code ?

Thx

> -----Original Message-----
> From: Christoph Paasch [mailto:christoph.paasch@gmail.com]
> Sent: Sunday, December 07, 2008 2:56 AM
> To: netfilter@vger.kernel.org
> Cc: Gilad Benjamini
> Subject: Re: Ping in ESTABLISHED
> 
> Hi,
> 
> does your machine on the eth2 network always waits for the reply of the
> ping,
> before sending the next one?
> 
> After seeing the ECHO-REPLY passing, the connection tracker tries to
> delete
> the created connection, if all the ECHO-REQUESTS have been answered. As
> it may
> be possible, that there are several ECHO-REQUESTS passing before the
> ECHO-
> REPLY deletes the connection, netfilter will put the state of the
> connection as
> ESTABLISHED.  And that's the reason, why you don't have any NEW
> connections
> anymore. This behaviour may be due to the fact that some ECHO-REPLY's
> are lost
> on their way, and a new ECHO-REQUEST was send, before the connection
> timed out
> in the connection tracker.
> 
> 
> I hope, I was clear, and that it was correct what I told.
> 
> Have a nice day.
> 
> Christoph
> 
> 2008-12-06, "Gilad Benjamini" <gilad.benjamini@gmail.com>:
> > I have a situation where a continuous ping, expected to create a new
> > connection each time, turns into a single connection in ESTABLISHED
> state
> >
> > Here are the details:
> > - iptables runs on a bridge
> > - The bridge connects eth1 and eth2
> > - The iptables rules (minimized for the sake of this post)
> >     -A FORWARD -p icmp -m physdev  --physdev-in eth1 --physdev-is-
> bridged
> > -j ACCEPT
> >     -A FORWARD -p icmp -m state --state ESTABLISHED -j ACCEPT
> >     -A FORWARD -p icmp -m state --state NEW -j ACCEPT
> >     -A FORWARD -j ACCEPT
> > - A machine located on the eth2 network constantly sends a ping to a
> > machine located in eth1 network
> > - "iptables -L -v" shows the counters growing on rules #1 and #3.
> This is
> > expected.
> > - However, at some point, the counters start increasing on rule #2,
> and
> > stop increasing on rule #3. This can happen after 200 pings, 400, or
> even
> > 3000 in one overnight test.
> >
> > Any idea what's going on ?
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> --
> Christoph Paasch
> 
> www.rollerbulls.be
> --