From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 Description of problem: On a production server I've noticed that Amanda backup size estimates sometimes take over 50 minutes. Also I sometimes get messages from PSAD (which comes with Bastille Linux) that one of the name servers is port scanning the server. This is because the firewall is rejecting the UDP packets, presumably because the connection tracking is losing the connections somewhere. Version-Release number of selected component (if applicable): How reproducible: Sometimes Steps to Reproduce: 1.kernel 2.4.9-34 2.Rebuild Amanda with specific port ranges. You may need to install a patch to be able to run amrecover. 3.Run Amanda backups 4.Install Bastille Linux and configure the firewall (uses iptables, relies on connection tracking) Actual Results: Amanda sendsize packets are being rejected. DNS packets are being rejected. Expected Results: The firewall should recognize these packets as belonging to an existing UDP connection and accept them. Additional info:
*Sigh* UTSL. I've doubled the timeout values in net/ipv4/netfilter/ip_conntrack_proto_udp.c and am recompiling the kernel now. It would be nice if this were a runtime option (e.g. insmod ip_conntrack udpto=60 udpstrto=360).
Actually, with the timeouts I'm getting it seems as though the IPS_SEEN_REPLY bit is not getting set correctly. The Amanda server sends a request packet to each client which is immediately acknowledged. This should cause the IPS_SEEN_REPLY bit to be set. A little over a minute later, the reply packet is sent and iptables on the server drops it. If the IPS_SEEN_REPLY bit were set, ip_conntrack should be holding the connection for 5 minutes (since I've doubled the timeouts).
s/5 minutes/6 minutes/
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/