RE: conntrack generates UDP 'ghost traffic'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-10-16 at 14:26 +0200, Roderick Groesbeek wrote:
> Thomas,
> How 'scary' do you think it would be to set this on say: 75 seconds?
> 
> [root@pollux net ]# cat
> /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
> 432000
> [root@pollux net ]#

Depends on the other applications really. Probably you would not even
notice it for ordinary Web & E-Mail stuff, for other applications (like
SSH without keepalive) it could be quite annoying ;)

Anyway, many home NAT routers have far lower timeout settings for
"established connection but no data" scenarios to keep their
tables from overflowing..


> And is this setting operational 'both ways' (too the masqued connection
> and the internal connection)?

AFAIK there is only one entry in the conntrack (=NAT) table for
each TCP connection, right? I interpret
nf_conntrack_tcp_timeout_established as meaning "no data was received
from either end for this many seconds".

> Know all about RTP/RTCP/RTSP/etc.
> 
> We build H.323 applications too! :)
> We even sell H.324m gateways, and build them for Tandberg (now Cisco):
> http://www.triple-it.nl/wp-content/uploads/2009/03/factsheet_gateway.pdf
> 
> It does look like that NF_CONNTRACK modules for H.323 and RTSP are still
> pretty much unmaintained for Linux.
> 
> For instance:
> I had to patch & build the RTSP conntrack module for our pollux, it
> didn't worked out of the box.

If you do, why not contribute a fully kernel module. That's why it's
lacking, since nobody with expertise in the area was willing to
contribute some quality code ;)

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux