Thanks Patrick, a very satisfying answer ! Alex ----- Original Message ----- From: "Patrick Schaaf" <[EMAIL PROTECTED]> To: "Alex" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 25, 2002 2:00 PM Subject: Re: conntrack table not cleared..
> > been to. What seems to make no sense is that I see this > > > > 192.168.0.2,1134 207.46.226.25,80 tcp ESTABLISHED 59:1:51 > > > > when the box 192.168.0.2 is down and has been down for hours. Why would > > netfilter still see this connection > > as ESTABLISHED ? > > In this situation, the client box never sends a packet again. And, if the > server has no data to send, it also does not need to send any packet. > Alternatively, that server have gone down, too, and forgot about your > client connection. Then, it also won't send any packet. > > So, in total, conntracking sees no packet. There is no way to guess > that one or both sides died. Thus, the normal expire timeouts for > ESTABLISHED connections, which is some days, applies. > > It has been discussed numerous times here, that this behaviour is > unwanted for some situations, and critical for others (where long-running > TCP connections without traffic is the norm). To meet both situations > somewhere in the middle, the iptables timeouts where chosen the way > they are now. As this is a compromise, it cannot be the "right thing" > for most situations. But there is no way it can be improved in a > generic manner without pissing off part of the "population". > > Hope this explains things to you sufficiently. > > best regards > Patrick >
