On Sun, May 04, 2008 at 01:51:22PM +0200, Manuel Bouyer wrote:
> Hi,
> I upgraded my home router to yesterday's current, and since then I have
> troubles with ipnat: it seems to keep states for a lot of connections
> which have been closed by either the application or the server,
> while it closes TCP connection which are still active (e.g. an imaps
> session initiated from mutt). FWIW, this is on a sparc (so big-endian)
> machine.
>
> Attached is the output of ipnat -lv on this box.
> Notice that there's a lot of TCP map to remote host port 80 which have been
> closed from the host or server side (a netstat on the nated host confirmes
> this). These have a long TTL.
> On the other hand, my connection to 132.227.86.2 port 993 (the first entry in
> the output below) has a ttl of only 465. This is the connection which is
> dropped by the NAT box quite fast, while mutt had the connection to the
> server still open.
I upgraded this router to a newer current, with ipf v4.1.29. Things have
changed in the way that now, all ipnat entries have a very low ttl
(< 500). The effect is that all TCP connections are dropped quite fast.
This is quite annoying for e.g. ssh connections, which are not always
busy.
On the other hand, properly closing a connection (e.g. loggout of
a ssh connection) doesn't remove the NAT entry in ipnat -l, even though
a proper TCP close sequence was exanged between client and server.
So setting a high timeout in ipnat.conf may not be an option, as
things like web browsers could cause the ipnat table to fill up quite
fast.
My ipnat.conf:
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 900
mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452
I added the 'age' entry to mitigate the effect of the expired TCP entries.
Attached is the output of ipnat -lv on this box
Should I send-pr this ?