On Fri, 12 Oct 2007, Jozsef Kadlecsik wrote:
On Thu, 11 Oct 2007, Krzysztof Oledzki wrote:
Something is still wrong in this area. With the recent fix there are no
more "invalid SYNIN=" messages, but with unsuccessful request simulated
with "echo|nc" next connections are not possible.
[...]
--- cut here ---
sysctl net.ipv4.ip_local_port_range="50000 50003"
sysctl net.netfilter.nf_conntrack_log_invalid=255
while true ; do echo|nc -w 1 wp.pl 80 2>/dev/null >/dev/null; echo -ne "HEAD /
HTTP/1.0\r\nHost: www.wp.pl\r\n\r\n"|nc -w 2 wp.pl 80 ; sleep 1 ; done
--- cut here ---
Odd, but I could not reproduce it using my local test webserver.
I think you may test it with wp.pl, it is quite a big portal. No harm
will be done with little more requests. ;)
However looking through the tcpdump and the kernel log, I think the
problem is as follows: the aborted connection still lingers in conntrack
for 10s (in order to catch late packets) and reopening after RST is not
handled properly yet. You are digging into the grey areas of TCP
conntrack ;-).
Could you check the patch below?
Assuming that I did not mispatched my kernel, this patch does not solve
described problem. :( Do you need more tcpdumps or maybe a "conntrack -o
time -E" log?
Thank you.
Best regards,
Krzysztof Olędzki