Re: ip_conntrack & timing out of connections

Harald Welte (laforge@gnumonks.org)
Sun, 11 Nov 2001 23:38:12 +0100


On Tue, Nov 06, 2001 at 12:19:47PM +0100, Marc A. Lehmann wrote:

> however, after some time, I get many of these messages:
>
> Nov 6 02:39:55 doom kernel: ip_conntrack: table full, dropping packet.
>
> /proc/net/ip_conntrack has lots of connections like these:
>
> tcp 6 430665 ESTABLISHED src=213.76.191.129 dst=217.227.148.85 sport=3881 dport=80 src=217.227.148.85 dst=213.76.191.129 sport=80 dport=388 1 [ASSURED] use=1
>
> that is, connections to port 80. a grep dport=80 in ip_conntrack gives me
> 3768 lines, where netstat -t only shows 159 connections, so it seems that
> conntrack has a problems with time-outs (or something similar).

connection tracking keeps all TCP conntrack entries for 120 seconds after
completion of FIN <-> FIN closedown. This is the TIME_WAIT state of the
tcp protocol.

Maybe the linux tcp stack doesn't wait for 120 seconds, or some other
condition in the tcp stack makes the sockets disappear from the netstat -t
list.

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/