Fwd: conntrack full with TIME_WAIT on tcp passive close site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

lets have an example
1.
###
# server
###
suf-pgw:~ # netcat -l -p 10001


###
# client
###
suf-ins:/tmp/vlado # netcat 219.1.90.101 10001
^C punt!


2.Client close TCP session
###
# server
###
suf-pgw:~ # netstat -n | grep 10001
suf-pgw:~ # cat /proc/1/net/nf_conntrack | grep 10001
ipv4     2 tcp      6 104 TIME_WAIT src=219.1.90.100 dst=219.1.90.101
sport=59410 dport=10001 packets=4 bytes=216 src=219.1.90.101
dst=219.1.90.100 sport=10001 dport=59410 packets=2 bytes=112 [ASSURED]
mark=0 zone=0 use=2
suf-pgw:~ #

###
# client
###
suf-ins:/tmp/vlado # netstat -n | grep 10001
tcp        0      0 219.1.90.100:59410      219.1.90.101:10001      TIME_WAIT
suf-ins:/tmp/vlado # cat /proc/1/net/nf_conntrack | grep 10001
ipv4     2 tcp      6 88 TIME_WAIT src=219.1.90.100 dst=219.1.90.101
sport=59410 dport=10001 packets=4 bytes=216 src=219.1.90.101
dst=219.1.90.100 sport=10001 dport=59410 packets=2 bytes=112 [ASSURED]
mark=0 zone=0 use=2
suf-ins:/tmp/vlado #

Kernel tcp stack has TIME_WAIT only on client side -> output from netstat
Why conntrack has TIME_WAIT state on both sides ? -> nf_conntrack listing

Regards,
Vladimir Ondrus

2013/5/6 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>:
> On Mon, 6 May 2013, Vladimir Ondrus wrote:
>
>> We have a setup with many tcp connections, which are after short time
>> activelly closed from remote site. However we have our nf_conntrack
>> table full with connections in TIME_WAIT state. Output from netstat
>> shows no connection in TIME_WAIT state, which we think is correct,
>> because we are passive close site, so connection should not go through
>> TIME_WAIT state.
>>
>> Why tcp connection in conntrack table goes through TIME_WAIT, even we
>> are pasive close site in tcp?
>
> Conntrack reflects the state of the communicating party which sent the
> last packet, processed by conntrack. In this case it's in the TIME_WAIT
> state.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungar
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux