[netfilter-core] ip_conntrack problems
Martin Josefsson
gandalf at wlug.westbo.se
Mon Jan 17 11:05:08 CET 2005
On Fri, 14 Jan 2005, Marcelo Gondim wrote:
> Hi Core Team,
Hi, this mail should have been sent to the
netfilter-devel at lists.netfilter.org list.
> When our network is infected with any worm(netbios worm), as doing drop of
> package and using the kernel 2.6.10, this after some time (more or less one
> day), stop to send and receive packages and presents table errors conntrack
> full. I saw that as putting 65535 in ip_conntrack_max and when I alterate the
> timeouts it does not work.
>
> I returned to kernel 2.4, specifically the kernel 2.4.28 and the problems
> stopped. Does it exist any reason for that to happen?
This is a known bug which has been fixed. Either upgrade to 2.6.11-rc1 or
apply the patch at this location:
http://people.netfilter.org/gandalf/patches/conntrack-fix-rst.patch
Kernel 2.4.28 is known to have an ARP bug which can make it loose contact
with machines on the same subnet.
/Martin
More information about the netfilter-devel
mailing list