diff options
| author | Florian Westphal <fw@strlen.de> | 2013-06-13 17:31:28 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-20 11:20:13 +0200 |
| commit | 6547a221871f139cc56328a38105d47c14874cbe (patch) | |
| tree | 1882035b480cf2642bb4985f749ef544b34d3c56 /include/uapi | |
| parent | 130ffbc2638ddc290fcbabe1b9ce6a5d333a6a97 (diff) | |
| download | op-kernel-dev-6547a221871f139cc56328a38105d47c14874cbe.zip op-kernel-dev-6547a221871f139cc56328a38105d47c14874cbe.tar.gz | |
netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
When loose tracking is enabled (default), non-syn packets cause
creation of new conntracks in established state with default timeout for
established state (5 days). This causes the table to fill up with UNREPLIED
when the 'new ack' packet happened to be the last-ack of a previous,
already timed-out connection.
Consider:
A 192.168.x.52792 > 10.184.y.80: F, 426:426(0) ack 9237 win 255
B 10.184.y.80 > 192.168.x.52792: ., ack 427 win 123
<61 second pause>
C 10.184.y.80 > 192.168.x.52792: F, 9237:9237(0) ack 427 win 123
D 192.168.x.52792 > 10.184.y.80: ., ack 9238 win 255
B moves conntrack to CLOSE_WAIT and will kill it after 60 second timeout,
C is ignored (FIN set), but last packet (D) causes new ct with 5-days timeout.
Use UNACK timeout (5 minutes) instead to get rid of these entries sooner
when in ESTABLISHED state without having seen traffic in both directions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi')
0 files changed, 0 insertions, 0 deletions
