Re: PATCH: "invalid SYNIN=" - a patch and a question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, 12 Oct 2007, Jozsef Kadlecsik wrote:

On Thu, 11 Oct 2007, Krzysztof Oledzki wrote:

Something is still wrong in this area. With the recent fix there are no
more "invalid SYNIN=" messages, but with unsuccessful request simulated
with "echo|nc" next connections are not possible.
[...]
--- cut here ---
sysctl net.ipv4.ip_local_port_range="50000 50003"
sysctl net.netfilter.nf_conntrack_log_invalid=255

while true ; do echo|nc -w 1 wp.pl 80 2>/dev/null >/dev/null; echo -ne "HEAD /
HTTP/1.0\r\nHost: www.wp.pl\r\n\r\n"|nc -w 2 wp.pl 80 ; sleep 1 ; done
--- cut here ---

Odd, but I could not reproduce it using my local test webserver.

I think you may test it with wp.pl, it is quite a big portal. No harm will be done with little more requests. ;)

However looking through the tcpdump and the kernel log, I think the problem is as follows: the aborted connection still lingers in conntrack for 10s (in order to catch late packets) and reopening after RST is not handled properly yet. You are digging into the grey areas of TCP conntrack ;-).

Could you check the patch below?

Assuming that I did not mispatched my kernel, this patch does not solve described problem. :( Do you need more tcpdumps or maybe a "conntrack -o time -E" log?

Thank you.

Best regards,

						Krzysztof Olędzki

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux