Bug#288197: 2.6.10: ip_conntrack ignores RST making the tracking hash blow up in your face
Package: kernel
Severity: important
Tags: patch
This is a bug introduced by netfilter ip_conntrack window tracking fixes
introduced in a late 2.6.10-rc, wich should be fixed in the pending
2.6.10 upload to the debian archive (discussed on #debian-kernel).
The window tracking fixed broke RST handling, making the tracking hash
blow up really badly. In my setup it blew up with
net.ipv4.ip_conntrack_max=65536 after a little over 24 hours in use.
With a 5 day established timeout (the default) the hash would probably
grow to somewhere around 300000 entries - each taking rougly 300 bytes,
and this is on a relatively low trafficed firewall (10-20Mbps). Normal
non-buggy operation here is about 1-2000 entries.
The fix attached is currently not been checked over by the guy who broke
it all; but it has been known to work just fine in my setups and others.
More history - and patch:
http://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (1000, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-s1-up
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Reply to: