Problems getting NOTRACK to do anything at all

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marcel Laverdet <marcel@laverdet.com>
To: netfilter@vger.kernel.org
Subject: Problems getting NOTRACK to do anything at all
Date: Fri, 02 Oct 2009 07:40:48 -0500	[thread overview]
Message-ID: <0d99e50d4f57cd74439c228559a6738c@localhost> (raw)




For some reason I can't seem to get the NOTRACK iptables rule to do

anything at all. Can anyone make sense of the following session which I

think describes the problem better than words could. The session below was

carried out on a reasonably busy server, and I didn't waste much time in

between each command.





fantasma marcel # iptables-save

# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009

*filter

:INPUT ACCEPT [3195003:612499850]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2555099:4249706524]

COMMIT

# Completed on Fri Oct  2 07:28:30 2009

# Generated by iptables-save v1.4.2 on Fri Oct  2 07:28:30 2009

*raw

:PREROUTING ACCEPT [3604504:692724983]

:OUTPUT ACCEPT [2885938:4764142471]

COMMIT

# Completed on Fri Oct  2 07:28:30 2009



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

grep: /proc/net/ip_conntrack: No such file or directory

      0       0       0



fantasma marcel # iptables -t raw -A PREROUTING -i lo -j NOTRACK



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

grep: /proc/net/ip_conntrack: No such file or directory

      0       0       0



fantasma marcel # modprobe nf_conntrack_ipv4



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

     74    1405   14295



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

    178    3381   34425



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | tail

tcp      6 114 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44537

dport=11211 packets=9 bytes=1164 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44537 packets=8 bytes=948 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44462

dport=11211 packets=11 bytes=2003 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44462 packets=10 bytes=1936 [ASSURED] mark=0 use=1

tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44742

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44742 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44621

dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44621 packets=8 bytes=621 [ASSURED] mark=0 use=1

tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44851

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44851 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44599

dport=11211 packets=9 bytes=837 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44599 packets=8 bytes=621 [ASSURED] mark=0 use=1

tcp      6 117 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44714

dport=11211 packets=13 bytes=849 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44714 packets=12 bytes=5310 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44501

dport=11211 packets=12 bytes=5103 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44501 packets=12 bytes=39594 [ASSURED] mark=0 use=1

tcp      6 119 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44865

dport=11211 packets=8 bytes=477 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44865 packets=7 bytes=1535 [ASSURED] mark=0 use=1

tcp      6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=44479

dport=11211 packets=9 bytes=1193 src=127.0.0.1 dst=127.0.0.1 sport=11211

dport=44479 packets=8 bytes=977 [ASSURED] mark=0 use=1



fantasma marcel # iptables -t raw -A PREROUTING -s 127.0.0.1 -j NOTRACK



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1698   32261  327594



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1733   32926  334299



fantasma marcel # grep '127.0.0.1' /proc/net/ip_conntrack | wc

   1782   33852  343672





As you can see I've tried NOTRACK'ing both lo and 127.0.0.1 and the rules

just seem to be NOOP's.



Any help would be appreciated. Thanks.

next             reply	other threads:[~2009-10-02 12:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-02 12:40 Marcel Laverdet [this message]
2009-10-02 13:49 ` Problems getting NOTRACK to do anything at all Pascal Hambourg
2009-10-02 16:43   ` Marcel Laverdet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0d99e50d4f57cd74439c228559a6738c@localhost \
    --to=marcel@laverdet.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.