I'm facing the same problem. I'm working in a embedded system with kernel 2.6.20-6. When I send a ping (or any other protocol) through eth0 to eth1 (or vice versa) the conntrack count isn't decremented. If I send the ping through any other interface (eth0 to wifi, eth1 to wifi, wifi to eth0 and wifi to eth1) I have no problem. The problem seems to be only between the ethernet interfaces. I debug the netfilter and I saw that when the problem occurs the "use" variable inside conntract structure in > 1, so this variable is only decremented by 1, not reaching in 0, and then the destroy_conntrack function is not called. So I think that the problem is more low level, and some events aren't reaching netfilter, and the "use"variable isn't decremented properly. This could be a problem with the ethernet driver? Thanks.... On Thu, Feb 18, 2010 at 3:51 PM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > Le jeudi 18 février 2010 à 09:40 -0800, Afi Gjermund a écrit : >> I am still trying to figure out why the nf_conntrack_count differs >> from the table system. I decided I would use the conntrack userspace >> tools. >> Both of my NICs are unplugged with no other userspace applications >> running to affect connection tracking counts. >> >> >> root@titan ~# date >> Thu Feb 18 17:35:21 UTC 2010 >> >> root@titan ~# ./conntrack -C conntrack >> 351 >> >> root@titan ~# date >> Thu Feb 18 17:35:24 UTC 2010 >> >> root@titan ~# ./conntrack -F conntrack >> conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied. >> >> root@titan ~# date >> Thu Feb 18 17:35:31 UTC 2010 >> >> root@titan ~# ./conntrack -C conntrack >> 351 >> >> root@titan ~# date >> Thu Feb 18 17:35:36 UTC 2010 >> >> Shouldn't the value after the flush be 0? The traffic that has created >> this mess is from a REDIRECT rule in the PREROUTING chain of the 'nat' >> table. > > Could you post a copy of these rules ? > > Thanks > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
