From: "André Paulsberg-Csibi (IBM Consultant)" <Andre.Paulsberg-Csibi@evry.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: No sign of INVALID packet , LOGS DROP but not reason
Date: Sun, 29 May 2016 10:42:47 +0000 [thread overview]
Message-ID: <1464518566817.52562@evry.com> (raw)
Hi ,
I have come across something that I am starting to think is a bug ,
but before I start upgrading and other works lets see if I missed something !
I have log entries like these
May 28 10:47:13 zotac kernel: INVALID-STATE IN=vlan0 OUT= MAC=# SRC=189.222.120.167 DST=# LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=5745 PROTO=TCP SPT=21735 DPT=56715 WINDOW=0 RES=0x00 ACK RST URGP=0
I have used
conntrack -E -o timestamp
and added logging with
echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid
from what I can see there is no "kernel: nf_ct_tcp: " entries at the moment of the DROP of ACK RST
and there is an entry in conntrack for this session that should allow ACK RST to terminate that session .
when I do :
zotac:~ # journalctl | grep nf_ct | grep " ACK RST " | grep -v " ACK RST FIN "
May 26 22:35:31 zotac kernel: nf_ct_tcp: invalid RST IN= OUT= SRC=# DST=81.233.185.232 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=14841 PROTO=TCP SPT=7905 DPT=56206 SEQ=2244837322 ACK=835716258 WINDOW=0 RES=0x00 ACK RST URGP=0
I only find ONE result , but when I do :
zotac:~ # journalctl | grep INVALID | grep " ACK RST " | grep -v " ACK RST FIN " | grep "May 2[678]" | wc
1590 38480 412611
I should have atleast 1000 + more nf_ct log entries to match all my INVALID ACK RST log entries .
I have tried to spot some issues with TCPDUMPs , but all packets seems like normal ACK RST when I try to get same result "manually" by sending SYN packets "I just used "telnet IP PORT" to a port I found in my log ...
I see the ACK RST telling me the port is blocked and I can't seem to find any issues with the packet !
Best regards
André Paulsberg-Csibi
Senior Network Engineer
Fault Handling
IBM Services AS
andre.paulsberg-csibi@evry.com
next reply other threads:[~2016-05-29 10:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-29 10:42 André Paulsberg-Csibi (IBM Consultant) [this message]
2016-05-29 17:52 ` No sign of INVALID packet , LOGS DROP but not reason Noel Kuntze
2016-05-30 8:17 ` André Paulsberg-Csibi (IBM Consultant)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464518566817.52562@evry.com \
--to=andre.paulsberg-csibi@evry.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.