[RFC] An idea on conntrack expiration (was: Re: unused establishedconnections)
Pascal C. Kocher
pascal.kocher@netbeat-security.ch
Wed, 30 Jan 2002 16:25:19 +0100
--=_IS_MIME_Boundary
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
----------------------------------------- (on bacardi.netbeat-security.ch)
email-body was scanned and no virus found
---------------------------------------------------------
--=_IS_MIME_Boundary
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
content-class: urn:content-classes:message
> > I mean the e-mails regarding conntrack table DoS. I understand
> > that it is highly unlikely, but people have shown that on=20
> large router
> > systems running iptables/conntrack, the number of connections in the
> > connection table does get very large. Having expiration data would
> > significantly lower these "stale" connections, help keep=20
> the conntrack
> > table small, and like Graham Houston said in another e-mail, keep
> > iptables competitive (CP-1 has this expiration feature already).
>=20
> How do you know which long-running connection is stale truly?
How about using a different approach, that to set a fixed limit?
A userspace tool, which can remove selected connections. This way you
would be able to terminate connection you are certain that they are
stale (or not used).
my 2 cents.
Pascal.
--=_IS_MIME_Boundary--