From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: ip_conntrack table full dropping packets. Going back to kernel-2.6.9-1.724_FC3 fixes the problems. It seems to be related to https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html . It seems to not be releasing the connections from the table even after they are long gone. Version-Release number of selected component (if applicable): kernel-2.6.10-1.737_FC3 How reproducible: Always Steps to Reproduce: 1. use iptable with ip_conntrack 2. large number of connections (mail gateway) 3. run for a few hours Actual Results: drops packets Additional info:
This is a kernel problem. Assigning to kernel.
I have confirmed this as a problem as well.
Does the Connnection track/rst fix (Martin Josefsson) Correct this problem in the kernel release kernel-2.6.10-1.741_FC3
kernel-2.6.10-1.741_FC3 works for me. # cat /proc/net/ip_conntrack|wc -l 1055 much better than the ~32000 i would get with -737
kernel-2.6.10-1.741_FC3 appears to still have the bug.
Yes, 741 still has the bug for sure. It bit me too just recently. Unreplied TCP connections will hang around for 5 days and quickly fill the 32k (depending on your RAM) table size. I was doing nmap scans of my own network and it would fill up the table in no time! This is a very bad bug that under many normal conditions will cause dropped connections to/from a system, resulting in intermittent and hard to diagnose networking issues.
I installed 741 last night, it seems to be OK, I am getting back to the 150 or so table, not the 32000. I will confirm next week when full load comes on the server on a weekday.
kernel-2.6.10-1.741_FC3 has been running fine all day today. It has resolved my ip_conntrack bug. # cat /proc/net/ip_conntrack|wc -l 83 much better than 32000
This bug is NOT fixed as of 741! My test from Jan 27 still has the entries from that date. To easily fill up your table with entries that don't expire for way too long: nmap -S 192.168.100.1 -sP 192.168.100.2-254 (change 192.168.100 to your internal subnet/ip) each run of that command adds a couple hundred entries to the table: cat /proc/net/ip_conntrack | wc and they don't go away for at least days. Tested and verified on: 2.6.10-1.741_FC3smp