On Thu, Mar 28, 2002 at 05:25:06PM +0100, Martin Sperl wrote: > Hi! > > We are experiencing problems with connection tracking with a Cisco > Content Switch behind a firewall and think that it might partly be a > problem with netfilter in stock Linux 2.4.17. > > We just started using CSS in a productive environment and now the number > of connections in /proc/net/ip_conntrack have reached 200000. > Which may be OK, but the problem is that 75% of these connections are in > "UNREPLIED" state and the timeout given as 3rd value in > /proc/net/ip_conntrack goes up to values like: 431998 - alsmost 5 days. > So 75% of all connections in the tracking list are garbage and only > discarded after 5 days! > > Ok, the problem does arise with non CSS as well, but with CSS the rise > was most pronounced, still connections are left open. > > Any ideas, explaination,
It seems like you have been ACK-flooded by somebody. conntrack default behaviour is to do connection pickup when receiving an ACK in some not-already-tracked connection. The ACK packet is getting a state of NEW and if the packet is allowed by the ruleset, the timeout is increased to 5 days. However, as soon as we run out of conntrack entries, the UNREPLIED entries are overwritten. To disable the 'no pickup' behaviour, there's a patch in patch-o-matic called 'conntrack-nopickup.patch' > Cheers, > Martin Sperl -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
