[Acked] [Precise][SRU][PATCH] Fix for LP#1270237
Andy Whitcroft
apw at canonical.com
Mon Feb 10 07:16:08 UTC 2014
On Fri, Feb 07, 2014 at 03:51:19PM -0600, Chris J Arges wrote:
> [Impact]
> When running a server for an extended amount of time the conntrack table can fill up.
> Here is the netfilter discussion: http://www.spinics.net/lists/netfilter-devel/msg26759.html
>
> [Fix]
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6547a221871f139cc56328a38105d47c14874cbe
>
> Present in 3.11 >
>
> [Test Case]
> From the patch:
> When loose tracking is enabled (default), non-syn packets cause
> creation of new conntracks in established state with default timeout for
> established state (5 days). This causes the table to fill up with UNREPLIED
> when the 'new ack' packet happened to be the last-ack of a previous,
> already timed-out connection.i
>
>
> Florian Westphal (1):
> netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
>
> net/netfilter/nf_conntrack_proto_tcp.c | 6 ++++++
> 1 file changed, 6 insertions(+)
Looks to be a clean cherry-pick and sounds reasonable.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list