On Fri, May 30, 2003 at 01:42:07PM -0400, Preston A. Elder wrote: > OK, just to be sure, I just installed kernel 2.4.21-rc6, with all the > 'pending' patches applied to it as well, these are the ONLY patches applied > to this kernel. that one should be just fine. > Netstat is showing me the following connection breakdowns: > SNATs: 0 > ESTABLISHED : 1060 > LAST_ACK : 4865 > TIME_WAIT : 29 > FIN_WAIT2 : 1 > FIN_WAIT1 : 39 > SYN_RECV : 3277 > LISTEN : 100 > CLOSE_WAIT : 9261 > > /proc/ip_conntrack, however, is showing me the following: > CLOSE: 176 > CLOSE_WAIT: 111 > ESTABLISHED: 9046 > FIN_WAIT: 8634 > SYN_RECV: 134 > SYN_SENT: 25111 > TIME_WAIT: 2165 > (no state): 128 you cannot just compare TCP socket states with connection tracking states. connection tracking tracks all connections (local and forwarded ones), and if a connection isn't correctly closed by the application (FIN handshake), it will assume that the connection still exists - just one example of why this cannot be compared. And why do you think there is a 'SNAT' socket state? > use DNAT, same difference though). So the above counts seem very wrong to > me. And although the established count is very high, the SYN_SENT count is > astronomical. can you capture the packets with tcpdump and actually show me that the machine doesn't in fact have > There are also, as you see above, 128 conntrack entries without a > state, which by the look of it, are UDP connections. I'm not even > natting anything for UDP. WTF is going on here? What do you mean 'without state'? There are no connections without state. Why can't you show me the respective lines from /proc/net/ip_conntrack. And why are you under the impression that /proc/net/ip_conntrack shows only nat'ed connections? The name of the file indicates 'conntrack', so it shows you all tracked connections - not all NAT'ed. As of now, it seems to me that there are some significant misunderstandings about the principles of netfilter/iptables. Please discuss this at the mailinglist and get back to me if you are really sure this is a bug. > PreZ > Systems Administrator > Shadow Realm -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00468.pgp
Description: PGP signature
