Re: nf_conntrack_count versus '/proc/net/nf_conntrack | wc -l' count

Afi Gjermund <afigjermund@xxxxxxxxx> · Thu, 18 Feb 2010 10:13:31 -0800



On Thu, Feb 18, 2010 at 10:07 AM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
> Le jeudi 18 février 2010 à 09:55 -0800, Afi Gjermund a écrit :
>> On Thu, Feb 18, 2010 at 9:51 AM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
>> > Le jeudi 18 février 2010 à 09:40 -0800, Afi Gjermund a écrit :
>> >> I am still trying to figure out why the nf_conntrack_count differs
>> >> from the table system.  I decided I would use the conntrack userspace
>> >> tools.
>> >> Both of my NICs are unplugged with no other userspace applications
>> >> running to affect connection tracking counts.
>> >>
>> >>
>> >> root@titan ~# date
>> >> Thu Feb 18 17:35:21 UTC 2010
>> >>
>> >> root@titan ~# ./conntrack -C conntrack
>> >> 351
>> >>
>> >> root@titan ~# date
>> >> Thu Feb 18 17:35:24 UTC 2010
>> >>
>> >> root@titan ~# ./conntrack -F conntrack
>> >> conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.
>> >>
>> >> root@titan ~# date
>> >> Thu Feb 18 17:35:31 UTC 2010
>> >>
>> >> root@titan ~# ./conntrack -C conntrack
>> >> 351
>> >>
>> >> root@titan ~# date
>> >> Thu Feb 18 17:35:36 UTC 2010
>> >>
>> >> Shouldn't the value after the flush be 0? The traffic that has created
>> >> this mess is from a REDIRECT rule in the PREROUTING chain of the 'nat'
>> >> table.
>> >
>> > Could you post a copy of these rules ?
>> >
>> > Thanks
>> >
>> >
>> >
>> iptables -t nat -A PREROUTING -p tcp -s X.X.X.X -d X.X.X.X --sport X
>> --dport X -j REDIRECT --to-port X
>
> Yes I understood you were using such rules, but I cannot understand how
> it can trigger without real nics being plugged. So I asked you some
> details, apprently you dont want to provide them and prefer to hide from
> us :)
>
>
>
>
>
Lol, sorry. The X values are dynamic and depend on what network the
device happens to be on, as well as the ephemeral source port.

iptables -t nat -A PREROUTING -p tcp -s 172.168.8.45 -d 172.168.8.200
--sport 4351 --dport 4500 -j REDIRECT --to-port 45001
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html