Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [conntrack]

71 questions
13
votes
3 answers

Where is the correct place to set net.netfilter.nf_conntrack_buckets?

I'm currently trying to set net.netfilter.nf_conntrack_buckets on boot. I initially assumed that this could be done through sysctl.conf, but net.netfilter.nf_conntrack_buckets (and other net.netfilter configurations) were not applied at all. …
KelchM
  • 155
  • 1
  • 2
  • 6
7
votes
5 answers

Route IP Traffic Based on Process to Different Default Routes / Interfaces

I'm trying to determine if it is possible to selectively route IP packets from a process or process group through a specific interface while all other packets are routed through another interface. That is, I want all traffic from /usr/bin/testapp to…
justinzane
  • 181
  • 2
  • 13
5
votes
2 answers

Why is conntrackd not replicating state?

I have a problem with an active/active firewall cluster where the connection tracking state in the firewall does not seem be be being replicated. It's active/active because I have two routers connected via different ISP's and a network range that…
hookenz
  • 14,132
  • 22
  • 86
  • 142
5
votes
1 answer

Why does nf_conntrack_count keep increasing?

I'm using Ubuntu 11.10 & nginx. My server's currently doing about 350 rps (that's the load that's coming in). I use iptables to make sure connections on certain ports are restricted only to boxes I own. I've noticed nf_conntrack_count keeps…
bluesmoon
  • 291
  • 1
  • 3
  • 8
5
votes
3 answers

Delete specific conntrack entries?

in a multi-ISP configuration, I'm routing and NATing specific traffic, e.g. VoIP, through specific interface - to a distinct provider. When one of the interfaces (or routes) becomes unavailable, all connections that were using it have to be dropped,…
Zrin
  • 597
  • 1
  • 5
  • 14
4
votes
2 answers

/proc/sys/net/netfilter/nf_conntrack_count extreme drop when reading /proc/net/nf_conntrack

I have very busy Web servers, and wanted to introduce some analysis to see what kind of traffic present. Namely, total number of all connections, number of time waits, established connections, udp and tcp connections. First, I made a graph simple -…
Victoria Javi
  • 41
  • 1
  • 3
4
votes
1 answer

What happened to byte and packet counters in conntrack?

Netfilter's conntrack docs show an example output of conntrack -L that contains bytes= and packets= counters, but when I run it I only see IP and port information. I'm aware that the docs are really out of date, and specifically mention…
itsadok
  • 1,839
  • 5
  • 21
  • 33
4
votes
1 answer

Iproute2 tools vs conntrack tools

I have a linux box which is setup as firewall/gateway for the network. Was just wondering why ss and other iproute2 tools show much less than iptables conntrack. Is it because the router function is happening in kernel only? ss -na Shows only two…
Adrian Cornish
  • 521
  • 1
  • 4
  • 11
4
votes
1 answer

Ubuntu HTTP latency falling into strange quantiles

I have an Ubuntu 10.10 server with plenty of RAM, bandwidth and CPU. I'm seeing a strange, repeatable pattern in the distribution of latencies when serving static files from both Apache and nginx. Because the problem is common to both http servers,…
slowernet
  • 43
  • 4
3
votes
1 answer

iptables blocking some of the traffic on ports 80 and 443 when it shouldn't?

A web server I'm administering shows weird iptables denials from IPv4 addresses on destination port 443, despite HTTPS traffic being explicitly allowed. Port 80 is also allowed in the same rule, but the site is HTTPS-only and 80 is immediately…
JK Laiho
  • 195
  • 9
3
votes
0 answers

Does netfilter reassemble IP fragments when packet is forwarded?

IP datagram should be reassemble in the termination of the path because the fragments may arrive from different paths. I think Netfilter need to reassemble a IP datagram to inspect the whole payload to see if it matchs a given filter rule (I am…
MABC
  • 203
  • 1
  • 5
  • 11
3
votes
2 answers

ip_conntrack_count has way too many connections

The conntrack table on my server has over 1.2 million connections, I keep bumping up the limit but the table just continues to grow (but not monotonically -- it does go down sometimes). $ cat…
Dan
  • 31
  • 1
  • 2
3
votes
2 answers

nf_conntrack: table full, dropping packet

Mar 24 03:29:26 kernel: [1557411.243821] TCP: time wait bucket table overflow (CT0) Mar 24 03:29:26 kernel: [1557411.243828] TCP: time wait bucket table overflow (CT0) Mar 24 03:29:26 kernel: [1557411.243998] TCP: time wait bucket table overflow…
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77
3
votes
1 answer

Conntrack: Does deletion of conntrack entry delete the tcp connection?

I am wondering if Conntrack -D deletes the tcp connection or does it just delete the connection tracking entry? I established an ssh to my router and then deleted the entry using Conntrack -D command. I can see that the entry gets deleted but I see…
SeattleOrBayArea
  • 143
  • 1
  • 2
  • 7
3
votes
2 answers

When does iptable's conntrack module track states of packets?

It first needs to store states. With some old BSD firewall that I used, I guess was named IPFW, I used to put a rule that sated "keep track of the state of the leaving packet", and this was placed on the outbound direction of interfaces. Then,…
caveman
  • 133
  • 1
  • 7
1
2 3 4 5