* DNAT socket missing reset although ip_conntrack entry has been cleared
@ 2012-10-31 18:29 Tsillas, James
0 siblings, 0 replies; only message in thread
From: Tsillas, James @ 2012-10-31 18:29 UTC (permalink / raw)
To: netfilter
We have a transparent proxy application which uses the DNAT target to a local port.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 to:10.227.128.135:9033
This runs on a network appliance with using Monta Vista linux on a MIPS/Cavium CPU:
Release: 2.6.21_mvlcge510-octeon-mips64_octeon_v2_be
Version: #1 SMP PREEMPT RT Tue Oct 30 09:28:58 PDT 2012
Machine: mips64
The problem happens on a busy proxy socket which is forwarding data from a
server. The client which originated the connection will issue an RST,ACK:
48918 52.261639 99.196.131.89 8.27.225.254 TCP 66 59715 > http [RST, ACK] Seq=1 Ack=52254009 Win=11696 Len=0 TSval=10399765 TSecr=1948069
We see the connection is no longer in /proc/net/ip_conntrack.
But we notice the connection is still shown by netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 47784 10.227.128.135:9033 99.196.131.89:59715 ESTABLISHED
Our app is never told the socket has reset and we continue to hold it open.
Since we have no conntrack, the socket can no longer send data to its client.
From the app's point of view, shouldn't a TCP socket be reset once the ip_conntrack
is removed?
thanks!!!
-Jim.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-10-31 18:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-31 18:29 DNAT socket missing reset although ip_conntrack entry has been cleared Tsillas, James
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.