From: Robert L Mathews <lists@tigertech.com>
To: netfilter@vger.kernel.org
Subject: Re: conntrack and RSTs received during CLOSE_WAIT
Date: Sat, 16 May 2009 20:09:34 -0700 [thread overview]
Message-ID: <4A0F7FEE.3010405@tigertech.com> (raw)
In-Reply-To: <alpine.DEB.2.00.0905162348430.4156@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> The TCP session seems to be totally broken. After the client sends
>
> client > server [FIN,ACK] Seq=421 Ack=1449 Len=0
>
> it should send the RST packet with Seq=422 and not Seq=421. The RST
> segment won't be accepted by the server.
Okay. The client is definitely sending exactly that (I'm pretty sure
it's a SonicWall firewall). That explains why the connection stays in
the CLOSE_WAIT state according to netstat.
So the problem can be described as:
Some buggy clients send an out-of-sequence RST. When that happens,
conntrack forgets about the connection ten seconds later, even though
the TCP stack doesn't.
If nf_conntrack_tcp_loose is set to 0, this gives clients a trivial way
to bypass connlimit, because the client then has open connections that
aren't counted.
If nf_conntrack_tcp_loose is set to 1, subsequent packets sent more than
ten seconds later will result in conntrack seeing a new ESTABLISHED
connection. Unfortunately, if the subsequent packets were merely TCP
retransmits (which is likely), the "new connection" will not really
exist. Connlimit counts a nonexistent connection as being open for five
days until it times out.
Both of these outcomes are obviously undesirable. Any suggestions how to
avoid this, or to minimize the impact?
> And I don't get the server either: after sending Ack=422 it can't send
> Ack=421.
>
> Is it a real TCP session recording or a mistyped one?
You're right; that was a typo on my part, for which I apologize. I had
to retype it from Wireshark, and I copied the wrong line. The ten
retransmitted packets at the end do indeed send Ack=422, just as you say
they should.
(However, the client problem is not a typo. The client definitely did
send Seq=421 in the RST, which explains why netstat shows the connection
remaining in CLOSE_WAIT and why the server continues to retransmit packets.)
--
Robert L Mathews, Tiger Technologies http://www.tigertech.net/
next prev parent reply other threads:[~2009-05-17 3:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-15 22:10 conntrack and RSTs received during CLOSE_WAIT Robert L Mathews
2009-05-16 21:57 ` Jozsef Kadlecsik
2009-05-17 3:09 ` Robert L Mathews [this message]
2009-05-20 5:16 ` Robert L Mathews
2009-05-20 7:19 ` Jozsef Kadlecsik
2009-05-20 7:31 ` Philip Craig
2009-05-20 7:42 ` Jozsef Kadlecsik
2009-05-20 8:06 ` Philip Craig
2009-05-20 8:43 ` Jozsef Kadlecsik
2009-05-20 20:24 ` Robert L Mathews
2009-05-20 21:40 ` Jozsef Kadlecsik
2009-05-21 8:17 ` Anatoly Muliarski
2009-05-21 9:11 ` Jozsef Kadlecsik
2009-05-21 18:07 ` Robert L Mathews
2009-05-21 15:31 ` Jozsef Kadlecsik
2009-05-21 18:45 ` Robert L Mathews
2009-05-22 4:32 ` Anatoly Muliarski
2009-05-22 7:21 ` Jozsef Kadlecsik
2009-05-22 8:26 ` Anatoly Muliarski
2009-05-22 8:54 ` Jozsef Kadlecsik
2009-05-22 11:27 ` Jozsef Kadlecsik
2009-05-22 7:42 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A0F7FEE.3010405@tigertech.com \
--to=lists@tigertech.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).