(iptables) ip_conntrack bug?
Thu, 16 Nov 2000 01:03:29 +0200 (IST)
On Wed, 15 Nov 2000, Guus Sliepen wrote:
> > I was DDoS'd today while away and came home to find the firewall unable to
> > do anything network related (although my connection to irc was still
> > working oddly). a quick dmesg showed the problem.
> > ip_conntrack: maximum limit of 2048 entries exceeded
> I have also seen this happen on a box which ran test9. Apparently because of
> it's long uptime, because the logs should no signs of an attack.
> I guess conntrack forgets to flush some entries? Or maybe there is no way it can
> recover from a full conntrack table? Is it maybe necessary to make the maximum
> size a configurable option? Or a userspace conntrack daemon like the arpd?
>From reading the sources I got the impression that the use count of
the ip_conntrack struct isn't decremented properly. This causes
destroy_conntrack() not to free ip_conntrack's - which results allocation
until the maximum (ip_conntrack_max), and failing to allocate new ones.
p.s. Get a popcorn when you're reading netfilter's sources - bumping into
a label like 'i_see_dead_people' is quite amusing...