From: Peter Grace <pgrace@rttx.com>
To: Patrick McHardy <kaber@trash.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: POSSIBLE BUG: netfilter/ip_conntrack_core
Date: Mon, 16 Feb 2004 10:25:47 -0500 [thread overview]
Message-ID: <4030E0FB.9050207@rttx.com> (raw)
In-Reply-To: <4030DDC7.4050900@trash.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the prompt reply!
To netfilter gurus:
I'm running kernel 2.6.1 with debian unstable (currently utilizing gcc
3-3-3 and libc6 2.3.2-ds1-11).
The problem seems to be happening whenever I try to telnet to one of our
systems through the firewall.
In this case, the ip address is 67.105.178.145 which forwards to
10.0.0.5 is causing the odd message following:
LIST_DELETE: net/ipv4/netfilter/ip_conntrack_core.c:295
&ct->tuplehash[IP_CT_DIR_REPLY] (c40bf384) not in &ip_conntrack_hash[hr]
iptables-save output follows (some ip addresses changed to protect
the innocent):
# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*nat
:PREROUTING ACCEPT [6317:528203]
:POSTROUTING ACCEPT [519:45824]
:OUTPUT ACCEPT [0:0]
- -A PREROUTING -d 67.105.178.144 -j DNAT --to-destination 10.0.0.4
- -A PREROUTING -d 67.105.178.145 -j DNAT --to-destination 10.0.0.5
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 110 -j DNAT
- --to-destination 10.0.0.9:110
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 995 -j DNAT
- --to-destination 10.0.0.9:995
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 143 -j DNAT
- --to-destination 10.0.0.9:143
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 993 -j DNAT
- --to-destination 10.0.0.9:993
- -A POSTROUTING -s 10.0.0.4 -d ! 10.0.0.0/255.255.0.0 -j SNAT --to-source
67.105.178.144
- -A POSTROUTING -s 10.0.0.5 -d ! 10.0.0.0/255.255.0.0 -j SNAT --to-source
67.105.178.145
- -A POSTROUTING -s 10.0.0.0/255.255.0.0 -d ! 10.0.0.0/255.255.0.0 -j SNAT
- --to-source 67.105.178.130
COMMIT
# Completed on Mon Feb 16 09:48:47 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*mangle
:PREROUTING ACCEPT [50601:25640371]
:INPUT ACCEPT [18633:7025727]
:FORWARD ACCEPT [29086:18125877]
:OUTPUT ACCEPT [17826:1566349]
:POSTROUTING ACCEPT [46912:19692226]
COMMIT
# Completed on Mon Feb 16 09:48:47 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*filter
:INPUT ACCEPT [3324:459318]
:FORWARD ACCEPT [1207:70244]
:OUTPUT ACCEPT [2371:282116]
- -A INPUT -s 10.0.0.0/255.255.255.0 -d 10.0.0.6 -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -m state --state INVALID -j ULOG
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 4569 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 5036 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 5060 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 21 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 20 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 113 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 37 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 37 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 53 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 53 -j ACCEPT
- -A INPUT -s 67.105.178.130 -d 67.105.178.130 -p tcp -j ACCEPT
- -A INPUT -s 67.105.178.130 -d 67.105.178.130 -p udp -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -j ULOG
- -A INPUT -d 67.105.178.130 -p udp -j ULOG
- -A INPUT -d 67.105.178.130 -p icmp -j ULOG
- -A INPUT -d 67.105.178.0/255.255.255.0 -p icmp -j ULOG
- -A INPUT -d 67.105.178.130 -p tcp -j DROP
- -A INPUT -d 67.105.178.130 -p udp -j DROP
- -A INPUT -d 67.105.178.130 -p icmp -j DROP
- -A INPUT -d 67.105.178.0/255.255.255.0 -p icmp -j DROP
- -A INPUT -d 67.105.178.140 -p tcp -j ULOG
- -A INPUT -d 67.105.178.140 -p udp -j ULOG
- -A INPUT -d 67.105.178.140 -p icmp -j ULOG
- -A INPUT -d 67.105.178.140 -p tcp -j DROP
- -A INPUT -d 67.105.178.140 -p udp -j DROP
- -A INPUT -d 67.105.178.140 -p icmp -j DROP
- -A FORWARD -m state --state INVALID -j DROP
- -A FORWARD -m state --state INVALID -j ULOG
- -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
23 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
446 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
448 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
449 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
5110 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
992 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9080 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9081 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p udp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p udp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p icmp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p icmp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
23 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
446 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
448 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
449 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
5110 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
992 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9080 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9081 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p udp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p udp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p icmp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p icmp -j DROP
- -A FORWARD -d 67.105.178.0/255.255.255.0 -p icmp -j ULOG
- -A FORWARD -d 67.105.178.0/255.255.255.0 -p icmp -j DROP
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 23 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5010 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5002 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5001 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -p icmp -j DROP
- -A OUTPUT -s 10.0.0.103 -p udp -j DROP
- -A OUTPUT -s 10.0.0.103 -p tcp -j DROP
- -A OUTPUT -m state --state INVALID -j DROP
- -A OUTPUT -m state --state INVALID -j ULOG
- -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Feb 16 09:48:48 2004
Patrick McHardy wrote:
| Peter Grace wrote:
|
|> Hello, ~ I'm posting to the list blindly this following report:
|
|
| Moved from linux-kernel to netfilter-devel ..
|
|>
|> LIST_DELETE: net/ipv4/netfilter/ip_conntrack_core.c:295
|> &ct->tuplehash[IP_CT_DIR_REPLY] (c40bf384) not in
|> &ip_conntrack_hash[hr]
|>
|> I believe the memory addresses are not as pertinent as the message
|> itself, but the screen filled up with 4-5 of these lines before
|> finally biting the dust.
|>
|> Can someone shoot me an e-mail in reply to let me know if this is a
|> bug in netfilter code or if I'm just somehow confusing the heck
|> out of the nat filter? I've got a set of nat forwarding rules that
|> forwards an ip address onto the internal lan, and then from there
|> I'm only allowing certain packets to go through -- that seems to
|> have exacerbated the problem..
|
|
| Please post your ruleset, your kernel version and other relevent
| information, this should not happen.
|
| Regards Patrick
|
|
|>
|> Thanks in advance!
|>
|> Pete
|>
|> -- --- /------------------------------------------------\ |Peter
|> Grace Phone: 484-875-9462 |Technology Analyst Fax:
|> 484-875-9461 |RealTime Technologies, Inc. Cell: 484-919-1400 |835
|> Springdale Drive, Suite 101 |Exton, PA 19341
|> \------------------------------------------------/
|
|
| - To unsubscribe from this list: send the line "unsubscribe
| linux-kernel" in the body of a message to majordomo@vger.kernel.org
| More majordomo info at http://vger.kernel.org/majordomo-info.html
| Please read the FAQ at http://www.tux.org/lkml/
|
|
- --
- ---
/------------------------------------------------\
|Peter Grace Phone: 484-875-9462
|Technology Analyst Fax: 484-875-9461
|RealTime Technologies, Inc. Cell: 484-919-1400
|835 Springdale Drive, Suite 101
|Exton, PA 19341
\------------------------------------------------/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAMOD61bytwQSw7hoRArt8AKDqSz5rlfG7iTQaux+ffo3Okm4NjQCaAx61
S07okkmMvc6TvUyyjm60WbY=
=W30I
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2004-02-16 15:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-16 14:59 POSSIBLE BUG: netfilter/ip_conntrack_core Peter Grace
2004-02-16 15:12 ` Patrick McHardy
2004-02-16 15:25 ` Peter Grace [this message]
2004-02-17 14:04 ` Harald Welte
[not found] ` <403226F8.4040109@rttx.com>
[not found] ` <20040217145534.GN981@sunbeam.de.gnumonks.org>
2004-02-17 15:24 ` Peter Grace
2004-02-24 19:49 ` Peter Grace
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4030E0FB.9050207@rttx.com \
--to=pgrace@rttx.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.