Hello List, >From time to time, iptables drops related packets of TCP-connections originating from the host running iptables. Jul 17 06:02:37 [somehost] iptables:DROP-ERROR IN= OUT=eth0 MAC= SRC=[somehost-ip] DST=[otherhost] LEN=64 TOS=00 PREC=0x00 TTL=64 ID=48442 CE DF PROTO=TCP SPT=41902 DPT=80 SEQ=382478645 ACK=1990115033 WINDOW=916 ACK PSH FIN URGP=0 The conntrack tables are quite empty, far away from loosing conntracks due to overload. In my opinion, kernel is generating those packets since it is still handling the TCP-connection shutdown phase, while conntrack has sorted out the entry, believing that the connection was terminated already. Since I assume, that the cause for this are different state-timeouts in iptables and TCP-stack, I would like to write a howto (or better a script for automatic check) to find out, which parameters should be adjusted. Am I on the right track? Is this possible or is e.g. the iptables-TCP-state-model simplified for speed-up, that it cannot follow all local TCP state changes by design? Thanks, Roman PS: Kernel 3.9.7 DI Roman Fiedler Engineer Safety & Security Department Assistive Healthcare Information Technology AIT Austrian Institute of Technology GmbH Reininghausstrae 13/1 | 8020 Graz | Austria T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950 roman.fiedler@xxxxxxxxx | http://www.ait.ac.at/ FN: 115980 i HG Wien | UID: ATU14703506 http://www.ait.ac.at/Email-Disclaimer -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
