On Thu, Jun 13, 2013 at 05:31:28PM +0200, Florian Westphal wrote: > When loose tracking is enabled (default), non-syn packets cause > creation of new conntracks in established state with default timeout for > established state (5 days). This causes the table to fill up with UNREPLIED > when the 'new ack' packet happened to be the last-ack of a previous, > already timed-out connection. > > Consider: > > A 192.168.x.52792 > 10.184.y.80: F, 426:426(0) ack 9237 win 255 > B 10.184.y.80 > 192.168.x.52792: ., ack 427 win 123 > <61 second pause> > C 10.184.y.80 > 192.168.x.52792: F, 9237:9237(0) ack 427 win 123 > D 192.168.x.52792 > 10.184.y.80: ., ack 9238 win 255 > > B moves conntrack to CLOSE_WAIT and will kill it after 60 second timeout, > C is ignored (FIN set), but last packet (D) causes new ct with 5-days timeout. > > Use UNACK timeout (5 minutes) instead to get rid of these entries sooner > when in ESTABLISHED state without having seen traffic in both directions. Applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
