Bug 1033352

Summary: It is possible for the connection table to have an invalid entry which prevents a new connection from being established
Product: Red Hat Enterprise Linux 6 Reporter: noah davids <ndavids>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: iptables-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 22:59:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description noah davids 2013-11-21 22:51:54 UTC 
Description of problem:

The connection table (nf_conntrack) can contain an entry for a stale connection which can prevent a new connection from the same remote host and using the same source port from being connected.

Version-Release number of selected component (if applicable):
kernel is 2.6.32-3458.23.2.el6.x86_64
iptables-1.4.7-9.el6.c86_64

How reproducible:
100% reproducible

Steps to Reproduce:
.
Test program on System A accepts a connection on port, say, 5001 and then writes to the socket once a second. From system B, configure an iptables rule to drop RST packets to system A "iptables -A OUTPUT --dst SYSTEMA-IPADDRESS --protocol tcp --tcp-flags RST RST -j DROP". Now from system B telnet to system A port 5001. Once the telnet client sees the data sent by the test program, close the telnet session (control-] followed by "close".

On System A
A trace shows the FIN packet sent from system B, it will show the ACK from system A and then the next data segment sent by the application. It will then show a set of retransmissions as the ACK-RSTs from system B are droped by system B before being sent. If you dump the nf_conntrack file it will show the connection in a CLOSE_WAIT state with a 60 second timer. During that time the trace will show multiple retransmissions. Also it appears that the 60 second timer resets every time there is a retransmission. The effect is that the connection stays in the CLOSE_WAIT state longer than just 60 seconds, it does eventually disappear when the retransmission timer becomes longer than 60 seconds. HOWEVER, the next time that TCP sends a retransmission the nf_conntract entry is back and this time it is flagged as ESTABLISHED UNREPLIED and the timer is counting down from 432000.

Actual results:


Expected results:
This is very similar to 629857 and it was expected that with the 2.6.32-358.23.2 kernel this problem would have been resolved but it still occurs. 

Additional info:
Comment 1 noah davids 2013-11-21 22:59:43 UTC 
It turns out that the invalid connection entry is just removed when the new connection is created.