75035 – ip_conntrack drops UDP connections too early

Bug 75035 - ip_conntrack drops UDP connections too early

Summary: ip_conntrack drops UDP connections too early

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	kernel
Sub Component:
Version:	7.1
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Arjan van de Ven
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-10-03 21:06 UTC by John Dalbec
Modified:	2008-08-01 16:22 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-09-30 15:39:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description John Dalbec 2002-10-03 21:06:20 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1)
Gecko/20020823 Netscape/7.0

Description of problem:
On a production server I've noticed that Amanda backup size estimates sometimes
take over 50 minutes.  Also I sometimes get messages from PSAD (which comes with
Bastille Linux) that one of the name servers is port scanning the server.  This
is because the firewall is rejecting the UDP packets, presumably because the
connection tracking is losing the connections somewhere.

Version-Release number of selected component (if applicable):


How reproducible:
Sometimes

Steps to Reproduce:
1.kernel 2.4.9-34
2.Rebuild Amanda with specific port ranges.  You may need to install a patch to
be able to run amrecover.
3.Run Amanda backups
4.Install Bastille Linux and configure the firewall (uses iptables, relies on
connection tracking)

	

Actual Results:  Amanda sendsize packets are being rejected.  DNS packets are
being rejected.

Expected Results:  The firewall should recognize these packets as belonging to
an existing UDP connection and accept them.

Additional info:

Comment 1 John Dalbec 2002-10-09 14:19:22 UTC

*Sigh* UTSL.  I've doubled the timeout values in
net/ipv4/netfilter/ip_conntrack_proto_udp.c and am recompiling the kernel now. 
It would be nice if this were a runtime option (e.g. insmod ip_conntrack
udpto=60 udpstrto=360).

Comment 2 John Dalbec 2002-10-30 13:42:18 UTC

Actually, with the timeouts I'm getting it seems as though the IPS_SEEN_REPLY
bit is not getting set correctly.  The Amanda server sends a request packet to
each client which is immediately acknowledged.  This should cause the
IPS_SEEN_REPLY bit to be set.  A little over a minute later, the reply packet is
sent and iptables on the server drops it.  If the IPS_SEEN_REPLY bit were set,
ip_conntrack should be holding the connection for 5 minutes (since I've doubled
the timeouts).

Comment 3 John Dalbec 2002-10-30 14:45:02 UTC

s/5 minutes/6 minutes/

Comment 4 Bugzilla owner 2004-09-30 15:39:59 UTC

Thanks for the bug report. However, Red Hat no longer maintains this version of
the product. Please upgrade to the latest version and open a new bug if the problem
persists.

The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, 
and if you believe this bug is interesting to them, please report the problem in
the bug tracker at: http://bugzilla.fedora.us/

Note You need to log in before you can comment on or make changes to this bug.