Have you looked at /proc/net/nf_conntrack ?<div><br></div><div>Sean<br><br><div class="gmail_quote">On Wed, Jan 11, 2012 at 1:50 PM, John Lange <span dir="ltr"><<a href="mailto:john@johnlange.ca">john@johnlange.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm hoping someone suggest a fix for this.<br>
<br>
We moved some applications over to a new server which still had the<br>
default firewall rules in place which included a rate limiting "drop"<br>
rule that looks like this:<br>
<br>
iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate<br>
NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options<br>
--log-ip-options<br>
<br>
In short, limit to 3 new connections per minute.<br>
<br>
It turns out this was way to short for our application and so I just<br>
removed all firewall rules by stopping the firewal (this is on<br>
OpenSUSE).<br>
<br>
The last firewall log message indicates that a packet was being<br>
dropped to a specific IP due to a rate limit but now the server will<br>
not send packets to that IP at all! tcpdump shows that the packets are<br>
not even attempting to leave the interface.<br>
<br>
It seems like netfilter blocked the ip on the rate limit rule and now<br>
its "stuck".<br>
<br>
I tried specifically allowing that IP and even recreated the limit<br>
rule thinking that would "reactivate" the chain but it doesn't work.<br>
<br>
My guess is that a reboot would fix it but the server is in production<br>
and can not be rebooted without a scheduled outage.<br>
<br>
The only other thing I can think of is to reload all of the netfilter<br>
kernel modules but again that is too risky on a production system.<br>
<br>
Any other ideas on how to clear the filter?<br>
<br>
Is there a command to display the current status of what netfilter is<br>
tracking and dropping?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
John Lange<br>
_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a><br>
</div>