lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAN2Y7hzOXtVGh1d84afxOWv-EcLLUCn+FmH4Yr1OHFBmFVZR4Q@mail.gmail.com>
Date: Wed, 28 May 2025 21:55:17 +0800
From: ying chen <yc1082463@...il.com>
To: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
Cc: Florian Westphal <fw@...len.de>, pablo@...filter.org, kadlec@...filter.org, 
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	netfilter-devel@...r.kernel.org, coreteam@...filter.org, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [bug report, linux 6.15-rc4] A large number of connections in the
 SYN_SENT state caused the nf_conntrack table to be full.

On Wed, May 28, 2025 at 9:41 PM Jozsef Kadlecsik
<kadlec@...ckhole.kfki.hu> wrote:
>
> On Wed, 28 May 2025, ying chen wrote:
>
> > On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@...len.de> wrote:
> >>
> >> ying chen <yc1082463@...il.com> wrote:
> >>> Hello all,
> >>>
> >>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4.
> >>> Running cat /proc/net/nf_conntrack showed a large number of
> >>> connections in the SYN_SENT state.
> >>> As is well known, if we attempt to connect to a non-existent port, the
> >>> system will respond with an RST and then delete the conntrack entry.
> >>> However, when we frequently connect to non-existent ports, the
> >>> conntrack entries are not deleted, eventually causing the nf_conntrack
> >>> table to fill up.
> >>
> >> Yes, what do you expect to happen?
> > I understand that the conntrack entry should be deleted immediately
> > after receiving the RST reply.
>
> No, the conntrack entry will be in the CLOSE state with the timeout value
> of /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close
>
> Best regards,
> Jozsef
The conntrack entry does not transition to the CLOSE state and remains
in the SYN_SENT state until the nf_conntrack_tcp_timeout_syn_sent
timeout is reached.
According to the code, the conntrack  entry should be deleted
immediately after the RST reply.
int nf_conntrack_tcp_packet(struct nf_conn *ct,
                            struct sk_buff *skb,
                            unsigned int dataoff,
                            enum ip_conntrack_info ctinfo,
                            const struct nf_hook_state *state)
{
        ......
        if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
                /* If only reply is a RST, we can consider ourselves not to
                   have an established connection: this is a fairly common
                   problem case, so we can delete the conntrack
                   immediately.  --RR */
                if (th->rst) {
                        nf_ct_kill_acct(ct, ctinfo, skb);
                        return NF_ACCEPT;
                }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ