Re: [netfilter-core] iptables/conntrack in enterprise environment.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, May 30, 2003 at 01:42:07PM -0400, Preston A. Elder wrote:

> OK, just to be sure, I just installed kernel 2.4.21-rc6, with all the 
> 'pending' patches applied to it as well, these are the ONLY patches applied 
> to this kernel.

that one should be just fine.

> Netstat is showing me the following connection breakdowns:
> SNATs: 0
> ESTABLISHED : 1060
> LAST_ACK    : 4865
> TIME_WAIT   : 29
> FIN_WAIT2   : 1
> FIN_WAIT1   : 39
> SYN_RECV    : 3277
> LISTEN      : 100
> CLOSE_WAIT  : 9261
> 
> /proc/ip_conntrack, however, is showing me the following:
> CLOSE: 176
> CLOSE_WAIT: 111
> ESTABLISHED: 9046
> FIN_WAIT: 8634
> SYN_RECV: 134
> SYN_SENT: 25111
> TIME_WAIT: 2165
> (no state): 128

you cannot just compare TCP socket states with connection tracking
states.   connection tracking tracks all connections (local and
forwarded ones), and if a connection isn't correctly closed by the
application (FIN handshake), it will assume that the connection still
exists - just one example of why this cannot be compared.

And why do you think there is a  'SNAT' socket state?

> use DNAT, same difference though).  So the above counts seem very wrong to 
> me.  And although the established count is very high, the SYN_SENT count is 
> astronomical.

can you capture the packets with tcpdump and actually show me that the
machine doesn't in fact have 

> There are also, as you see above, 128 conntrack entries without a
> state, which by the look of it, are UDP connections.  I'm not even
> natting anything for UDP.  WTF is going on here?

What do you mean 'without state'? There are no connections without
state.  Why can't you show me the respective lines from
/proc/net/ip_conntrack.

And why are you under the impression that /proc/net/ip_conntrack shows
only nat'ed connections?  The name of the file indicates 'conntrack', so
it shows you all tracked connections - not all NAT'ed.

As of now, it seems to me that there are some significant
misunderstandings about the principles of netfilter/iptables. Please
discuss this at the mailinglist and get back to me if you are really
sure this is a bug.

> PreZ
> Systems Administrator
> Shadow Realm
-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: pgp00468.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux