In the end not even service network restart did the trick we restarted the whole server and from then on the packets would begin to arrive at the container. Also if I checked /proc/net/ip_conntrack I could see the connection from my customer with and not being forwarded to the container, meanwhile my connections would show up properly, but I could also see that the connection on ip_conntrack was not ever closed - before the timeout new packets arrived which would refresh it. On syslog, my customer traffic showed as IN=eth0 OUT=, while new connections I made to that port showed directly in the FORWARD log with IN=eth0 OUT=docker1. Then I added two iptables rules to log the UDP inbound packets: one just at the beginning of the INPUT chain, and one at the beginning of the FORWARD chain. Here for example is what one of my system looks like. Although I can’t comprehend why as default values should be ok, (game feels like I don’t have fiber) when I set it to a low value, boom instant reg. Once you setup rules then you can use a tool like conntrack to look at the netfilter state table. 1 For gaming, I realized that changing the UDP : UNREPLIED to a super low number like 1-10 made my bullet reg INSANE. ![]() This will force netfilter to track state related to UDP. The entry tells us that the connection has not seen any traffic in both directions, will be replaced by the ASSURED flag, to be found close to the end of the entry. One method you could use is simply setup some simple netfilter rules that use the -state option. I could see with tcpdump the packets reaching the host, but a tcpdump inside the container showed nothing. When a connection has seen traffic in both directions, the conntrack entry will erase the UNREPLIED flag, and then reset it. However from then on, only new connections to this port reached the same internal port in the container, but our customer packets would not be forwarded. We prepped up a new server with this app inside docker, using docker-compose.yml for port mapping, and then just switched the IP addresses. tcp-time-wait-timeout10s udp-stream-timeout3m udp-timeout10s /ip firewall. Please do not send me emails I do not work for nor represent Freephoneline or Fongo. ![]() Navigate to Status>System Status Registration is a requirement for incoming calls, and only one registration is allowed at any time per FPL account. This will force netfilter to track state related to UDP. Enter the IP address youre told into your web browser. One method you could use is simply setup some simple netfilter rules that use the -state option. In detail: We containerized a legacy application which listened on a particular UDP port, which only one of our customers used to send data. Ive noticed lately theres loads of unreplied connections in the firewall. As others have mentioned UDP is connection-less so state isnt tracked in the standard locations you might look. Tomato/Merlin firmware defaults to 180, which usually works well. ![]() Is it possible that an UDP connection gets stuck in a state where it would not be properly routed to a container, necessitating a server restart? Keep this value above UDP Unreplied Timeout, and below UDP Assured Timeout UDP Assured Timeout: 180 - keep above the NAT Keep Alive interval to avoid VoIP issues.
0 Comments
Leave a Reply. |