Yury Batrakov wrote: > Hello all! > > I've got a couple of questiona about netfilter's connection tracker, > could someone clarify it to me? > 1. When conntrack is being flushed? In /proc/net/ip_conntrack I see > lots of UNREPLIED connections, I reload conntrack kernel module but > see the table being filled with old entries. The same looks to happen > after rebooting Linux box. > 2. Are UNREPLIED connections being wiped when number of connections to > track equals to conntrack's capacity? Some web resources tell they > are, but some tell otherwise. I tried to reduce conntrack's capacity > and saw that these connections aren't wiped and cause conntrack to > overflow is it bug or feature? No, when the table gets full the selected conntracks are those that are !ASSURED. > 3. I played with NOTRACK target of table raw and discovered that if I > add a NOTRACK rule that matches with already established connections, > they stuck in table as unreplied. Most of them disappear when I set > net.ipv4.netfilter.ip_conntrack_tcp_loose to 0. Is it recommended to > kill existing unreplied connections in this way? You may kill the entries using: # conntrack -D -s IP -p tcp --dport xyz See conntrack(8) for reference, or the conntrack-tools website. > Could it be any side > effect for new or currently established connections that don't match > NOTRACK? No, if you really only kill the conntracks that you don't need anymore. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
