Re: conntrack can't update mark on icmp connection

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: abirvalg@lavabit.com
Cc: netfilter-devel@vger.kernel.org
Subject: Re: conntrack can't update mark on icmp connection
Date: Fri, 23 Mar 2012 02:11:43 +0100	[thread overview]
Message-ID: <20120323011143.GA20298@1984> (raw)
In-Reply-To: <20120214001644.2e3a0d4c@wwwwww-701SD>

On Tue, Feb 14, 2012 at 12:16:44AM +0200, abirvalg@lavabit.com wrote:
> Hello,
> As root I try to set marks on all packets originating from my machine with
> 
> conntrack -U -s 192.168.1.114 --mark 10
> 
> It does set marks on some udp connections but ignores the icmp one.
> Upon the issue of this command it lists all updated udp connections with mark=10 and \
>                 eventually gives
> ...
> conntrack v0.9.14 (conntrack-tools): Operation failed: invalid parameters
> 
> After that conntrack -L shows that all udp connections that preceed in the list the icmp one \
> where updated, but the icmp connection and all udp connections following it in the \
> list were not updated. Seems like conntrack choked on icmp.
> 
> Could you please help me.
> uname -a
> Linux 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 \
> GNU/Linux

The problem seems to be in libnetfilter_conntrack.

I have pushed the following patch, it seems to resolve the issue here
for me.

commit 3a39278a56d12ad13a41973cd0b50238206f11ef
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Mar 23 02:07:41 2012 +0100

    conntrack: fix wrong building of ICMP reply tuple

next prev parent reply	other threads:[~2012-03-23  1:11 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-13 22:16 conntrack can't update mark on icmp connection abirvalg
2012-03-23  1:11 ` Pablo Neira Ayuso [this message]
  -- strict thread matches above, loose matches on Subject: below --
2012-03-20 15:35 abirvalg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120323011143.GA20298@1984 \
    --to=pablo@netfilter.org \
    --cc=abirvalg@lavabit.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.