This is a connection from FirefoxĢ.0.0.14 on the client to Apache 2.2. More details: the client is Mac OS X 10.4.11 the server is Debian Linux These connections are still established for days? Still ESTABLISHED until it times out five days later.Īm I understanding correctly? How can I avoid connlimit thinking that This results inĪ closed connection according to netstat, but conntrack thinks it's as you see is quite high 600 secs (10 minutes). What seems to be happening is that the server is sending a FIN, thenĮxpecting an ack of that, but instead it receives a RST. (Then the last lines are then repeated several more times over several The connection is closing appears to be odd (although I'm no tcpĮxpert). I've been able to capture a tcpdump of this from both ends, and the way Limit has been exceeded and the client is blocked. This is noticeable when the existing conntrack entry has no NAT transformation or an outdated one and port reuse happens either on client or due to a NAT middlebox. However, if the client is restarted with same addr/port pair, it may prevent the conntrack entry from timing out. These phantom connections build up until the connlimit rule thinks a Client eventually gives up and the conntrack entry will time out. This is a problem because I'm also using connlimit on the server, and Netstat doesn't show these as established connections. I've been having a problem with /proc/net/ip_conntrack showing manyĬonnections in a state like this for up to five days:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |