Hi everyone,
I have a problem with FIX_CONNTRACK.
First, let me give you a quick summary of my installation.
We use Astaro as a Masquerading device for about 20 users and 20 servers. Because of the peculiar way our university's network is set up, we have to masquerade our DMZ as well. So, in order to have our servers accessible from the outside, we make heavy use of DNAT and virtual interfaces.
For the sake of this bug report, let's say that our firewall has IP 10.10.10.1 with a virtual interface 10.10.10.2 whose port 80 is DNATed toward one of our servers.
Whenever we modify a rule in our filters or restart the firewall, for the first few seconds/minutes (varies greatly), connections to 10.10.10.2 port 80 generate the following pair of rules in FIX_CONNTRACK:
LOGDROP 10.10.10.1 80
LOGDROP 10.10.10.1 80
I don't know whether these are generated by pre-existing connections that were cut short by the iptables restart or by attempted connections during iptables config. I am not sure whether this happens with outgoing connections either.
Anyway, the side effect of that is that unfortunately, because we have quite a bit of traffic on this firewall, FIX_CONNTRACK usually ends up with more than 2500 rules, which increases the load to about 10-20 on the firewall depending on traffic, eventually making the console unresponsive.
Flushing FIX_CONNTRACK for a few seconds/minutes until rules stop being added promptly fixes the problem. Anyone at Astaro has an idea of why this happens?
By the way, we use version 3.212
This thread was automatically locked due to age.
