On Thursday 2011-08-11 16:36, Jozsef Kadlecsik wrote: >On Thu, 11 Aug 2011, Jan Engelhardt wrote: > >> On Thursday 2011-08-11 12:12, Jozsef Kadlecsik wrote: >> >> Packets are >> >> being matched as INVALID when we would expect them to be ESTABLISHED. >> >> We are running on kernel 2.6.30.5 on X86_64 with CentOS 5.4 and >> >> iptables-1.3.5-5.3.el5_4.1. >> >> [...] >> >> Aug 11 03:29:19 fw01 kernel: FORWARD INVALID IN=bond1 OUT=bond4 >> >> SRC=172.x.y.73 DST=172.x.z.34 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=32940 >> >> DF PROTO=TCP SPT=8080 DPT=52999 WINDOW=34 RES=0x00 ACK FIN URGP=0 >> > >> >Those are, with high probabilty, late FIN packets: the belonging conntrack >> >entry has already been deleted and thus conntrack cannot find the matching >> >stream, therefore it sets as INVALID. >> >> Should not FIN retransmissions ideally be classified as ESTABLISHED (or >> perhaps a new state) as long as the final ACK has not been seen? > >The final ACK might have already been seen. A full tcpdump could tell us >what happened exactly. But perhaps NFCT should assume that it did not reach its destination and should accept more FIN-ACKs until the MSL has elapsed. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
