[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: ip_conntrack dropping packets, 2nd attempt
From:       Daniel Stone <daniel () sfarc ! net>
Date:       2001-06-21 12:41:44
[Download RAW message or body]

On Thu, Jun 21, 2001 at 02:37:20PM +0200, Juri Haberland wrote:
> Guys,
> 
> this is driving me crazy. I'm still getting a lot of those packets
> dropped. Just to remind you - the  rule causing this is 
> $IPTABLES -A INPUT -i $FW_WORLD_DEV -p tcp ! --syn -m state --state NEW
> -j LOG --log-prefix "IPT NEW w/o SYN: "
> $IPTABLES -A INPUT -i $FW_WORLD_DEV -p tcp ! --syn -m state --state NEW
> -j DROP
> 
> Here are some of the log entries. As you can see, most of them have the
> ACK and the FIN bit set.
> Please give me a hint where to start debugging this - I'm willing to do
> any debugging to get this resolved or at least explained...

It's due to connection tracking forgetting about connections far too quickly
- Rusty, what can really be done about this?

-- 
Daniel Stone						     <daniel@sfarc.net>
<Nuke> "can NE1 help me aim nuclear weaponz????? /MSG ME!!"

[prev in list] [next in list] [prev in thread] [next in thread]