Conntrack vs. TCP-stack timout differences: quickfix howto

Conntrack vs. TCP-stack timout differences: quickfix howto

[Fiedler Roman]

Hello List,

From time to time, iptables drops related packets of TCP-connections originating from the host running iptables. 

Jul 17 06:02:37 [somehost] iptables:DROP-ERROR IN= OUT=eth0 MAC= SRC=[somehost-ip] DST=[otherhost] LEN=64 TOS=00 PREC=0x00 TTL=64 ID=48442 CE DF PROTO=TCP SPT=41902 DPT=80 SEQ=382478645 ACK=1990115033 WINDOW=916 ACK PSH FIN URGP=0

The conntrack tables are quite empty,  far away from loosing conntracks due to overload. In my opinion, kernel is generating those packets since it is still handling the TCP-connection shutdown phase, while conntrack has sorted out the entry, believing that the connection was terminated already.

Since I assume, that the cause for this are different state-timeouts in iptables and TCP-stack, I would like to write a howto (or better a script for automatic check) to find out, which parameters should be adjusted.

Am I on the right track? Is this possible or is e.g. the iptables-TCP-state-model simplified for speed-up, that it cannot follow all local TCP state changes by design?

Thanks,
Roman

PS: Kernel 3.9.7

DI Roman Fiedler
Engineer
Safety & Security Department
Assistive Healthcare Information Technology

AIT Austrian Institute of Technology GmbH
Reininghausstrae 13/1  |  8020 Graz  |  Austria
T +43(0) 50550 2957  |  M +43(0) 664 8561599  |  F +43(0) 50550 2950
roman.fiedler@ait.ac.at | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
http://www.ait.ac.at/Email-Disclaimer

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html