Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: troubles with ipnat TCP entries
On Sun, May 04, 2008 at 01:51:22PM +0200, Manuel Bouyer wrote:
> Hi,
> I upgraded my home router to yesterday's current, and since then I have
> troubles with ipnat: it seems to keep states for a lot of connections
> which have been closed by either the application or the server,
> while it closes TCP connection which are still active (e.g. an imaps
> session initiated from mutt). FWIW, this is on a sparc (so big-endian)
> machine.
>
> Attached is the output of ipnat -lv on this box.
> Notice that there's a lot of TCP map to remote host port 80 which have been
> closed from the host or server side (a netstat on the nated host confirmes
> this). These have a long TTL.
> On the other hand, my connection to 132.227.86.2 port 993 (the first entry in
> the output below) has a ttl of only 465. This is the connection which is
> dropped by the NAT box quite fast, while mutt had the connection to the
> server still open.
I upgraded this router to a newer current, with ipf v4.1.29. Things have
changed in the way that now, all ipnat entries have a very low ttl
(< 500). The effect is that all TCP connections are dropped quite fast.
This is quite annoying for e.g. ssh connections, which are not always
busy.
On the other hand, properly closing a connection (e.g. loggout of
a ssh connection) doesn't remove the NAT entry in ipnat -l, even though
a proper TCP close sequence was exanged between client and server.
So setting a high timeout in ipnat.conf may not be an option, as
things like web browsers could cause the ipnat table to fill up quite
fast.
My ipnat.conf:
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 900
mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452
I added the 'age' entry to mitigate the effect of the expired TCP entries.
Attached is the output of ipnat -lv on this box
Should I send-pr this ?
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
List of active MAP/Redirect filters:
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age
900/900 mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452
List of active sessions:
MAP 10.0.1.1 55050 <- -> 62.212.96.44 10057 [132.227.74.2 80]
ttl 1575 use 0 sumd 0xe43d/0xe43d pr 6 bkt 111/210 flags 1
ifp X,X bytes 846/691 pkts 4/5 ipsumd 93ff
MAP 10.0.1.1 55052 <- -> 62.212.96.44 10056 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe43a/0xe43a pr 6 bkt 113/209 flags 1
ifp X,X bytes 2409/911 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55054 <- -> 62.212.96.44 10055 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe437/0xe437 pr 6 bkt 115/208 flags 1
ifp X,X bytes 1135/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55055 <- -> 62.212.96.44 10054 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe435/0xe435 pr 6 bkt 116/207 flags 1
ifp X,X bytes 1011/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55058 <- -> 62.212.96.44 10053 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe431/0xe431 pr 6 bkt 119/206 flags 1
ifp X,X bytes 2150/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55059 <- -> 62.212.96.44 10052 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe42f/0xe42f pr 6 bkt 120/205 flags 1
ifp X,X bytes 2558/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55060 <- -> 62.212.96.44 10051 [132.227.74.2 80]
ttl 1574 use 0 sumd 0xe42d/0xe42d pr 6 bkt 121/204 flags 1
ifp X,X bytes 1893/913 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55064 <- -> 62.212.96.44 10050 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe428/0xe428 pr 6 bkt 125/203 flags 1
ifp X,X bytes 2001/913 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55066 <- -> 62.212.96.44 10049 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe425/0xe425 pr 6 bkt 127/202 flags 1
ifp X,X bytes 2338/916 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55067 <- -> 62.212.96.44 10048 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe423/0xe423 pr 6 bkt 128/201 flags 1
ifp X,X bytes 2471/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55068 <- -> 62.212.96.44 10047 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe421/0xe421 pr 6 bkt 129/200 flags 1
ifp X,X bytes 2284/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55069 <- -> 62.212.96.44 10046 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe41f/0xe41f pr 6 bkt 130/199 flags 1
ifp X,X bytes 1809/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55070 <- -> 62.212.96.44 10045 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe41d/0xe41d pr 6 bkt 131/198 flags 1
ifp X,X bytes 2184/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55071 <- -> 62.212.96.44 10044 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe41b/0xe41b pr 6 bkt 132/197 flags 1
ifp X,X bytes 1835/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55072 <- -> 62.212.96.44 10043 [132.227.74.2 80]
ttl 1573 use 0 sumd 0xe419/0xe419 pr 6 bkt 133/196 flags 1
ifp X,X bytes 2084/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55073 <- -> 62.212.96.44 10042 [132.227.74.2 80]
ttl 1572 use 0 sumd 0xe417/0xe417 pr 6 bkt 134/195 flags 1
ifp X,X bytes 3268/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55082 <- -> 62.212.96.44 10041 [132.227.74.2 80]
ttl 1571 use 0 sumd 0xe40d/0xe40d pr 6 bkt 143/194 flags 1
ifp X,X bytes 5310/984 pkts 8/7 ipsumd 93ff
MAP 10.0.1.1 55160 <- -> 62.212.96.44 10040 [132.227.74.2 80]
ttl 971 use 0 sumd 0xe3be/0xe3be pr 6 bkt 221/193 flags 1
ifp X,X bytes 846/691 pkts 4/5 ipsumd 93ff
MAP 10.0.1.1 55162 <- -> 62.212.96.44 10039 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3bb/0xe3bb pr 6 bkt 223/192 flags 1
ifp X,X bytes 1011/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55163 <- -> 62.212.96.44 10038 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3b9/0xe3b9 pr 6 bkt 224/191 flags 1
ifp X,X bytes 2409/911 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55166 <- -> 62.212.96.44 10037 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3b5/0xe3b5 pr 6 bkt 227/190 flags 1
ifp X,X bytes 2142/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55167 <- -> 62.212.96.44 10036 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3b3/0xe3b3 pr 6 bkt 228/189 flags 1
ifp X,X bytes 1135/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55170 <- -> 62.212.96.44 10035 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3af/0xe3af pr 6 bkt 231/188 flags 1
ifp X,X bytes 1899/913 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55172 <- -> 62.212.96.44 10034 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3ac/0xe3ac pr 6 bkt 233/187 flags 1
ifp X,X bytes 2588/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55174 <- -> 62.212.96.44 10033 [132.227.74.2 80]
ttl 970 use 0 sumd 0xe3a9/0xe3a9 pr 6 bkt 235/186 flags 1
ifp X,X bytes 2097/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55176 <- -> 62.212.96.44 10032 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe3a6/0xe3a6 pr 6 bkt 237/185 flags 1
ifp X,X bytes 2368/916 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55177 <- -> 62.212.96.44 10031 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe3a4/0xe3a4 pr 6 bkt 238/184 flags 1
ifp X,X bytes 2511/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55178 <- -> 62.212.96.44 10030 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe3a2/0xe3a2 pr 6 bkt 239/183 flags 1
ifp X,X bytes 2346/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55179 <- -> 62.212.96.44 10029 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe3a0/0xe3a0 pr 6 bkt 240/182 flags 1
ifp X,X bytes 1829/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55180 <- -> 62.212.96.44 10028 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe39e/0xe39e pr 6 bkt 241/181 flags 1
ifp X,X bytes 2219/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55181 <- -> 62.212.96.44 10027 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe39c/0xe39c pr 6 bkt 242/180 flags 1
ifp X,X bytes 1852/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55182 <- -> 62.212.96.44 10026 [132.227.74.2 80]
ttl 969 use 0 sumd 0xe39a/0xe39a pr 6 bkt 243/179 flags 1
ifp X,X bytes 2119/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55183 <- -> 62.212.96.44 10025 [132.227.74.2 80]
ttl 968 use 0 sumd 0xe398/0xe398 pr 6 bkt 244/178 flags 1
ifp X,X bytes 3267/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55192 <- -> 62.212.96.44 10024 [132.227.74.2 80]
ttl 967 use 0 sumd 0xe38e/0xe38e pr 6 bkt 253/177 flags 1
ifp X,X bytes 5310/984 pkts 8/7 ipsumd 93ff
MAP 10.0.1.1 55270 <- -> 62.212.96.44 10023 [132.227.74.11 993]
ttl 405 use 0 sumd 0xe33f/0xe33f pr 6 bkt 1253/1098 flags 1
ifp X,X bytes 3835/2342 pkts 12/16 ipsumd 93ff
MAP 10.0.1.1 55271 <- -> 62.212.96.44 10022 [132.227.74.2 80]
ttl 368 use 0 sumd 0xe33d/0xe33d pr 6 bkt 332/175 flags 1
ifp X,X bytes 846/691 pkts 4/5 ipsumd 93ff
MAP 10.0.1.1 55273 <- -> 62.212.96.44 10021 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe33a/0xe33a pr 6 bkt 334/174 flags 1
ifp X,X bytes 2409/911 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55275 <- -> 62.212.96.44 10020 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe337/0xe337 pr 6 bkt 336/173 flags 1
ifp X,X bytes 1011/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55277 <- -> 62.212.96.44 10019 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe334/0xe334 pr 6 bkt 338/172 flags 1
ifp X,X bytes 1135/911 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55278 <- -> 62.212.96.44 10018 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe332/0xe332 pr 6 bkt 339/171 flags 1
ifp X,X bytes 1912/913 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55279 <- -> 62.212.96.44 10017 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe330/0xe330 pr 6 bkt 340/170 flags 1
ifp X,X bytes 2164/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55283 <- -> 62.212.96.44 10016 [132.227.74.2 80]
ttl 367 use 0 sumd 0xe32b/0xe32b pr 6 bkt 344/169 flags 1
ifp X,X bytes 2545/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55285 <- -> 62.212.96.44 10015 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe328/0xe328 pr 6 bkt 346/168 flags 1
ifp X,X bytes 2068/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55287 <- -> 62.212.96.44 10014 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe325/0xe325 pr 6 bkt 348/167 flags 1
ifp X,X bytes 2382/916 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55288 <- -> 62.212.96.44 10013 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe323/0xe323 pr 6 bkt 349/166 flags 1
ifp X,X bytes 2484/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55289 <- -> 62.212.96.44 10012 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe321/0xe321 pr 6 bkt 350/165 flags 1
ifp X,X bytes 2292/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55290 <- -> 62.212.96.44 10011 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe31f/0xe31f pr 6 bkt 351/164 flags 1
ifp X,X bytes 1819/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55291 <- -> 62.212.96.44 10010 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe31d/0xe31d pr 6 bkt 352/163 flags 1
ifp X,X bytes 2186/912 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55292 <- -> 62.212.96.44 10009 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe31b/0xe31b pr 6 bkt 353/162 flags 1
ifp X,X bytes 1854/914 pkts 5/6 ipsumd 93ff
MAP 10.0.1.1 55293 <- -> 62.212.96.44 10008 [132.227.74.2 80]
ttl 366 use 0 sumd 0xe319/0xe319 pr 6 bkt 354/161 flags 1
ifp X,X bytes 2113/914 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55294 <- -> 62.212.96.44 10007 [132.227.74.2 80]
ttl 365 use 0 sumd 0xe317/0xe317 pr 6 bkt 355/160 flags 1
ifp X,X bytes 3264/913 pkts 6/6 ipsumd 93ff
MAP 10.0.1.1 55303 <- -> 62.212.96.44 10006 [132.227.74.2 80]
ttl 364 use 0 sumd 0xe30d/0xe30d pr 6 bkt 364/159 flags 1
ifp X,X bytes 5310/984 pkts 8/7 ipsumd 93ff
MAP 10.0.1.1 55307 <- -> 62.212.96.44 10005 [132.227.86.2 993]
ttl 359 use 0 sumd 0xe308/0xe308 pr 6 bkt 260/50 flags 1
ifp X,X bytes 3379/2198 pkts 11/16 ipsumd 93ff
MAP 10.0.1.1 55308 <- -> 62.212.96.44 10004 [132.227.74.11 993]
ttl 358 use 0 sumd 0xe306/0xe306 pr 6 bkt 1291/1079 flags 1
ifp X,X bytes 2303/1351 pkts 12/13 ipsumd 93ff
MAP 10.0.1.1 55311 <- -> 62.212.96.44 10003 [132.227.86.253 22]
ttl 296 use 0 sumd 0xe302/0xe302 pr 6 bkt 1591/1375 flags 1
ifp X,X bytes 10368/7321 pkts 67/69 ipsumd 93ff
MAP 10.0.1.1 56052 <- -> 62.212.96.44 10002 [132.227.86.253 22]
ttl 242 use 0 sumd 0xe01c/0xe01c pr 6 bkt 285/1374 flags 1
ifp X,X bytes 40/100 pkts 1/1 ipsumd 93ff
MAP 10.0.1.1 55326 <- -> 62.212.96.44 10001 [132.227.86.253 22]
ttl 234 use 0 sumd 0xe2f1/0xe2f1 pr 6 bkt 1606/1373 flags 1
ifp X,X bytes 9204/7545 pkts 60/69 ipsumd 93ff
MAP 10.0.1.1 55329 <- -> 62.212.96.44 10000 [132.227.74.11 993]
ttl 156 use 0 sumd 0xe2ed/0xe2ed pr 6 bkt 1312/1075 flags 1
ifp X,X bytes 220/220 pkts 4/4 ipsumd 93ff
MAP 10.0.1.1 56054 <- -> 62.212.96.44 10000 [132.227.86.254 22]
ttl 458 use 0 sumd 0xe018/0xe018 pr 6 bkt 288/1373 flags 1
ifp X,X bytes 13123416/529437 pkts 10021/5802 ipsumd 93ff
List of active host mappings:
10.0.1.1,132.227.74.2 -> 62.212.96.44 (use = 52 hv = 0)
10.0.1.1,132.227.86.2 -> 62.212.96.44 (use = 2 hv = 0)
10.0.1.1,132.227.86.253 -> 62.212.96.44 (use = 4 hv = 0)
10.0.1.1,132.227.74.11 -> 62.212.96.44 (use = 4 hv = 0)
10.0.1.1,132.227.86.254 -> 62.212.96.44 (use = 2 hv = 0)
Home |
Main Index |
Thread Index |
Old Index