From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: David Gubler <dg@doodle.com>
Cc: netfilter@vger.kernel.org
Subject: Re: connlimit reached - cannot open connections even after I close some
Date: Tue, 05 Feb 2013 20:54:13 +0100 [thread overview]
Message-ID: <51116365.4070801@plouf.fr.eu.org> (raw)
In-Reply-To: <510F9B9B.8070907@doodle.com>
David Gubler a écrit :
>
> Starting a fifth download fails:
>
> $ wget --limit-rate=1 http://localhost:8080/....
> --2013-02-04 11:48:41-- http://localhost:8080/...
> Auflösen des Hostnamen »localhost (localhost)«... 127.0.0.1
> Verbindungsaufbau zu localhost (localhost)|127.0.0.1|:8080... fehlgeschlagen: Verbindungsaufbau abgelehnt.
> (connection rejected)
>
> # conntrack -L | grep 8080
> tcp 6 431949 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60279 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60279 [ASSURED] mark=0 use=1
> tcp 6 431990 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60278 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60278 [ASSURED] mark=0 use=1
> tcp 6 431956 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60284 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60284 [ASSURED] mark=0 use=1
> tcp 6 431963 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60285 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60285 [ASSURED] mark=0 use=1
> tcp 6 71 SYN_SENT src=127.0.0.1 dst=127.0.0.1 sport=60291 dport=8080 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60291 mark=0 use=1
>
> Note: The rejected connection is in the conntrack table in the state SYN_SENT.
It appears that you're testing over the loopback interface. Note that
the connection tracking behaves a bit differently on this interface :
the connection is confirmed when the first packet reaches the end of
POSTROUTING chains, before entering back the PREROUTING and INPUT
chains. So even though the packet is dropped in the INPUT chain, the
conntrack entry is not new any more and left in the SYN_STATE.
> Killing one of the four running downloads with CTRL+C:
>
> # conntrack -L | grep 8080
> tcp 6 431950 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60279 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60279 [ASSURED] mark=0 use=1
> tcp 6 7 CLOSE src=127.0.0.1 dst=127.0.0.1 sport=60278 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60278 [ASSURED] mark=0 use=1
> tcp 6 431958 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60284 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60284 [ASSURED] mark=0 use=1
> tcp 6 431965 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=60285 dport=8080 src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60285 [ASSURED] mark=0 use=1
> tcp 6 17 SYN_SENT src=127.0.0.1 dst=127.0.0.1 sport=60291 dport=8080 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=8080 dport=60291 mark=0 use=1
>
> Now we have a connection in state CLOSED and one in state SYN_SENT in
> the table. wget still fails as it did before.
As expected, as there are already four active (SYN_SENT and ESTABLISHED)
connections.
> On 03.02.2013 12:51, Pascal Hambourg wrote:
> >
> > This is not the expected behaviour. AFAIK, when a packet creating a new
> > connection is DROPPed or REJECTed, the conntrack entry should be
> > deleted. This is what I observe on my system.
Edit : I observe this if the connections are from a remote host. If the
connections are from the local host over loopback, I observer the same
behaviour as you. I tested both conditions with a Debian Squeeze 2.6.32
kernel. I could not test with other kerne versions.
> Ok this is weird. I have made a similar (although not exactly the
> same) attempt on "Linux 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC
> 2012 x86_64 GNU/Linux" (Debian stable with stock kernel). On that kernel
> it behaves as you describe it! No SYN_SENT entries pop up in the
> conntrack table, instead the denied connections directly go into
> TIME_WAIT, and the connection limit works fine.
>
> On "Linux 3.2.0-2-amd64 #1 SMP Mon Jun 11 17:24:18 UTC 2012 x86_64
> GNU/Linux" (Debian stable with backports kernel), on the other hand, I
> get the exact same behavior as with 3.2 in Ubuntu (broken).
Did you test all kernels in the exact same conditions, connecting either
from a remote host or over loopback ?
next prev parent reply other threads:[~2013-02-05 19:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-24 14:22 connlimit reached - cannot open connections even after I close some David Gubler
2013-02-03 11:51 ` Pascal Hambourg
2013-02-04 11:29 ` David Gubler
2013-02-05 19:54 ` Pascal Hambourg [this message]
2013-02-11 12:44 ` David Gubler
[not found] <77346cbd-787d-4e7e-a918-d1b858d56b25@me.com>
2013-01-24 15:08 ` David Gubler
[not found] ` <CAHn-yPwtNh6sSo0PMScgavbgS=5mmLGaUHmQrj4wJQxMj4pWpA@mail.gmail.com>
2013-01-28 16:17 ` David Gubler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51116365.4070801@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=dg@doodle.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox