From: Philip Craig <philipc@snapgear.com>
To: Paul Mielke <paulm@routefree.com>
Cc: netfilter-devel@lists.netfilter.org, paulm@broadon.com
Subject: Re: another PPTP conntrack problem (no fix this time)
Date: Thu, 30 Jan 2003 17:34:40 +1000 [thread overview]
Message-ID: <3E38D590.9070608@snapgear.com> (raw)
In-Reply-To: 4.2.0.58.20030129161653.01aab6e8@avocetgw
Paul Mielke wrote:
> The support for generating an ICMP response to an error on a GRE packet is hopelessly
> broken. We ran into this in the course of testing two layers of nested PPTP
> connections. In our particular error case, the second layer of PPTP (only from
> Windows XP for some reason) generates a packet with DF set that is too large
> by the time the two layers of encapsulation get added. When the ICMP response
> is generated, the rejected packet has already been through NAT. When the logic
> in icmp_error_track attempts to look up the connection in order to NAT the header
> of the dropped packet that is buried inside the ICMP response, it is unable to find
> the GRE connection tuple. As a result, it sends the encapsulated header of
> the dropped packet back in its un-NATted form. The original sender who needs to
> adjust his MTU can't map the packet to a connection, because the dropped header
> is untranslated. As a result, the connection just hangs and no further traffic gets
> through.
>
> Suggestions? We are working on a fix, but the only idea I have had so far is
> pretty distasteful (put a special purpose check for GRE and call a routine that
> does a brute force search through the GRE keymap hash looking for a match to the
> callid). It's not even clear this will work. Failing that, we'd need another hash that
> indexes the keymaps in the "inverse" direction, if you see what I mean.
I'm not entirely clear on your setup. How many machines are
involved, where are the tunnels, and where is NAT happening?
This sounds like a problem with NAT of ICMP errors, rather than
a PPTP conntrack problem. There have been at least 2 patches
on the list regarding NAT of the inner ICMP header. I don't
think either have made it into standard kernels yet. Have you
tried them?
--
Philip Craig Software Engineer http://www.SnapGear.com
philipc@snapgear.com Ph: +61 7 3435 2821 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2003-01-30 7:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-18 0:29 PPTP connection tracking fixes paulm
2003-01-21 1:50 ` Philip Craig
2003-01-21 8:25 ` Philip Craig
2003-01-30 0:31 ` another PPTP conntrack problem (no fix this time) Paul Mielke
2003-01-30 7:34 ` Philip Craig [this message]
2003-01-31 12:04 ` Harald Welte
2003-01-31 20:50 ` Paul Mielke
2003-02-05 8:23 ` Philip Craig
2003-02-18 1:21 ` [PATCH] " Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E38D590.9070608@snapgear.com \
--to=philipc@snapgear.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=paulm@broadon.com \
--cc=paulm@routefree.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.