| Message ID | 1460053902-2200-6-git-send-email-mart.frauenlob@chello.at |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
Applied, thanks. On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote: > > Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> > --- > conntrack.8 | 17 +++++++++++++++++ > 1 files changed, 17 insertions(+), 0 deletions(-) > > diff --git a/conntrack.8 b/conntrack.8 > index e54951a..dfde9f0 100644 > --- a/conntrack.8 > +++ b/conntrack.8 > @@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to existing ones. Expectations > are generally used by "connection tracking helpers" (sometimes called > application level gateways [ALGs]) for more complex protocols such as FTP, > SIP, H.323. > +.TP > +.BR "dying" : > +This table shows the conntrack entries, that have expired and that have been > +destroyed by the connection tracking system itself, or via the conntrack utility. > +.TP > +.BR "unconfirmed" : > +This table shows new entries, that are not yet inserted into the conntrack table. > +These entries are attached to packets that are traversing the stack, > +but did not reach the confirmation point at the postrouting hook. > +.PP > +The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. > +Under normal operation, it is hard to see entries in any of them. > +There are corner cases, where it is valid to see entries in the > +unconfirmed table: > +1) when packets that are enqueued via nfqueue, or > +2) when conntrackd runs in event reliable mode. > +.PP > .SH OPTIONS > The options recognized by > .B conntrack > -- > 1.7.2.5 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Apr 08, 2016 at 12:19:21PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote: > > +.PP > > +The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. > > +Under normal operation, it is hard to see entries in any of them. > > +There are corner cases, where it is valid to see entries in the > > +unconfirmed table: > > +1) when packets that are enqueued via nfqueue, or > > +2) when conntrackd runs in event reliable mode. BTW, I have reworded this: "The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. Under normal operation, it is hard to see entries in any of them. There are corner cases, where it is valid to see entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and the dying table, eg. when conntrackd runs in event reliable mode." Actually, you can see entries in the dying table when conntrackd reliable event mode is on, instead of the unconfirmed table. Sorry about that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/conntrack.8 b/conntrack.8 index e54951a..dfde9f0 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323. +.TP +.BR "dying" : +This table shows the conntrack entries, that have expired and that have been +destroyed by the connection tracking system itself, or via the conntrack utility. +.TP +.BR "unconfirmed" : +This table shows new entries, that are not yet inserted into the conntrack table. +These entries are attached to packets that are traversing the stack, +but did not reach the confirmation point at the postrouting hook. +.PP +The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. +Under normal operation, it is hard to see entries in any of them. +There are corner cases, where it is valid to see entries in the +unconfirmed table: +1) when packets that are enqueued via nfqueue, or +2) when conntrackd runs in event reliable mode. +.PP .SH OPTIONS The options recognized by .B conntrack
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> --- conntrack.8 | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-)