2.4 kernel stale connections

Ming-Ching Tiew mingching.tiew at redtone.com
Fri Aug 5 08:59:20 CEST 2005

On my Linux 2.4.29 system, under certain condition, the system
will have a lot of stale connections left behind, which I have
checked it using cat ip_conntrack, where is the
client machine, 202.x.y.z is the destination public site, and
a.b.c.d is my firewall public IP :-

tcp      6 20589 ESTABLISHED src= dst=202.x.y.z sport=4660 dport=80 src=202.x.y.z dst=a.b.c.d sport=80 dport=4660
[ASSURED] use=1 mark=5
tcp      6 21184 ESTABLISHED src= dst=202.x.y.z sport=4698 dport=80 src=202.x.y.z dst=a.b.c.d sport=80 dport=4698
[ASSURED] use=1 mark=5

[ many of them ]

But I have checked the src ( ) and dst ( 202.x.y.z )
there have not been any traffic in between them for a long while already.
I even inserted rules to drop connection between them but the rules
did not pick up any traffic.

My questions are :-

1. Why is this happening ? Is it because the client program did not close
    the socket properly ? But the client program has been terminated
    for hours already !

2. Why is it that the connections are not expired since there have not been
     any traffic for hours ?

3. Is there a way for me to hand drop certain connections ?

4. I was hoping that the tcp-window-tracking patch will help, but I was not
    able to apply the patch. Before I try to solve the problem of patching, my
    question here is will the tcp-window-tracking patch help ?

More information about the netfilter mailing list