From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Grace <pgrace@rttx.com>
Subject: Re: POSSIBLE BUG:  netfilter/ip_conntrack_core
Date: Mon, 16 Feb 2004 10:25:47 -0500
Sender: netfilter-devel-admin@lists.netfilter.org
Message-ID: <4030E0FB.9050207@rttx.com>
References: <4030DADD.1040104@rttx.com> <4030DDC7.4050900@trash.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Return-path: <netfilter-devel-admin@lists.netfilter.org>
To: Patrick McHardy <kaber@trash.net>
In-Reply-To: <4030DDC7.4050900@trash.net>
Errors-To: netfilter-devel-admin@lists.netfilter.org
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter-devel/>
List-Id: netfilter-devel.vger.kernel.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Thanks for the prompt reply!

To netfilter gurus:

I'm running kernel 2.6.1 with debian unstable (currently utilizing gcc
3-3-3 and libc6 2.3.2-ds1-11).

The problem seems to be happening whenever I try to telnet to one of our
systems through the firewall.
In this case, the ip address is 67.105.178.145 which forwards to
10.0.0.5 is causing the odd message following:

LIST_DELETE: net/ipv4/netfilter/ip_conntrack_core.c:295
&ct->tuplehash[IP_CT_DIR_REPLY] (c40bf384) not in &ip_conntrack_hash[hr]



iptables-save output follows (some ip addresses changed to protect
the innocent):

# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*nat
:PREROUTING ACCEPT [6317:528203]
:POSTROUTING ACCEPT [519:45824]
:OUTPUT ACCEPT [0:0]
- -A PREROUTING -d 67.105.178.144 -j DNAT --to-destination 10.0.0.4
- -A PREROUTING -d 67.105.178.145 -j DNAT --to-destination 10.0.0.5
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 110 -j DNAT
- --to-destination 10.0.0.9:110
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 995 -j DNAT
- --to-destination 10.0.0.9:995
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 143 -j DNAT
- --to-destination 10.0.0.9:143
- -A PREROUTING -d 67.105.178.140 -p tcp -m tcp --dport 993 -j DNAT
- --to-destination 10.0.0.9:993
- -A POSTROUTING -s 10.0.0.4 -d ! 10.0.0.0/255.255.0.0 -j SNAT --to-source
67.105.178.144
- -A POSTROUTING -s 10.0.0.5 -d ! 10.0.0.0/255.255.0.0 -j SNAT --to-source
67.105.178.145
- -A POSTROUTING -s 10.0.0.0/255.255.0.0 -d ! 10.0.0.0/255.255.0.0 -j SNAT
- --to-source 67.105.178.130
COMMIT
# Completed on Mon Feb 16 09:48:47 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*mangle
:PREROUTING ACCEPT [50601:25640371]
:INPUT ACCEPT [18633:7025727]
:FORWARD ACCEPT [29086:18125877]
:OUTPUT ACCEPT [17826:1566349]
:POSTROUTING ACCEPT [46912:19692226]
COMMIT
# Completed on Mon Feb 16 09:48:47 2004
# Generated by iptables-save v1.2.9 on Mon Feb 16 09:48:47 2004
*filter
:INPUT ACCEPT [3324:459318]
:FORWARD ACCEPT [1207:70244]
:OUTPUT ACCEPT [2371:282116]
- -A INPUT -s 10.0.0.0/255.255.255.0 -d 10.0.0.6 -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -m state --state INVALID -j ULOG
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -s X.X.X.X -d 67.105.178.130 -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 4569 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 5036 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 5060 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 21 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 20 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 113 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 37 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 37 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -m tcp --dport 53 -j ACCEPT
- -A INPUT -d 67.105.178.130 -p udp -m udp --dport 53 -j ACCEPT
- -A INPUT -s 67.105.178.130 -d 67.105.178.130 -p tcp -j ACCEPT
- -A INPUT -s 67.105.178.130 -d 67.105.178.130 -p udp -j ACCEPT
- -A INPUT -d 67.105.178.130 -p tcp -j ULOG
- -A INPUT -d 67.105.178.130 -p udp -j ULOG
- -A INPUT -d 67.105.178.130 -p icmp -j ULOG
- -A INPUT -d 67.105.178.0/255.255.255.0 -p icmp -j ULOG
- -A INPUT -d 67.105.178.130 -p tcp -j DROP
- -A INPUT -d 67.105.178.130 -p udp -j DROP
- -A INPUT -d 67.105.178.130 -p icmp -j DROP
- -A INPUT -d 67.105.178.0/255.255.255.0 -p icmp -j DROP
- -A INPUT -d 67.105.178.140 -p tcp -j ULOG
- -A INPUT -d 67.105.178.140 -p udp -j ULOG
- -A INPUT -d 67.105.178.140 -p icmp -j ULOG
- -A INPUT -d 67.105.178.140 -p tcp -j DROP
- -A INPUT -d 67.105.178.140 -p udp -j DROP
- -A INPUT -d 67.105.178.140 -p icmp -j DROP
- -A FORWARD -m state --state INVALID -j DROP
- -A FORWARD -m state --state INVALID -j ULOG
- -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
23 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
446 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
448 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
449 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
5110 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
992 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
8480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9080 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -m tcp --dport
9081 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p tcp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p udp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p udp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p icmp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.4 -p icmp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
23 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
446 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
448 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
449 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
5110 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
992 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
8480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9470 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9471 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9472 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9473 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9474 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9475 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9476 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9480 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9080 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -m tcp --dport
9081 -j ACCEPT
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p tcp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p udp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p udp -j DROP
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p icmp -j ULOG
- -A FORWARD -s ! 10.0.0.0/255.255.254.0 -d 10.0.0.5 -p icmp -j DROP
- -A FORWARD -d 67.105.178.0/255.255.255.0 -p icmp -j ULOG
- -A FORWARD -d 67.105.178.0/255.255.255.0 -p icmp -j DROP
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 23 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5010 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5002 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -d 10.0.0.5 -p tcp -m tcp --dport 5001 -j ACCEPT
- -A OUTPUT -s 10.0.0.103 -p icmp -j DROP
- -A OUTPUT -s 10.0.0.103 -p udp -j DROP
- -A OUTPUT -s 10.0.0.103 -p tcp -j DROP
- -A OUTPUT -m state --state INVALID -j DROP
- -A OUTPUT -m state --state INVALID -j ULOG
- -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Feb 16 09:48:48 2004





Patrick McHardy wrote:

| Peter Grace wrote:
|
|> Hello, ~    I'm posting to the list blindly this following report:
|
|
| Moved from linux-kernel to netfilter-devel ..
|
|>
|> LIST_DELETE: net/ipv4/netfilter/ip_conntrack_core.c:295
|> &ct->tuplehash[IP_CT_DIR_REPLY] (c40bf384) not in
|> &ip_conntrack_hash[hr]
|>
|> I believe the memory addresses are not as pertinent as the message
|> itself, but the screen filled up with 4-5 of these lines before
|> finally biting the dust.
|>
|> Can someone shoot me an e-mail in reply to let me know if this is a
|>  bug in netfilter code or if I'm just somehow confusing the heck
|> out of the nat filter?  I've got a set of nat forwarding rules that
|>  forwards an ip address onto the internal lan, and then from there
|> I'm only allowing certain packets to go through -- that seems to
|> have exacerbated the problem..
|
|
| Please post your ruleset, your kernel version and other relevent
| information, this should not happen.
|
| Regards Patrick
|
|
|>
|> Thanks in advance!
|>
|> Pete
|>
|> -- --- /------------------------------------------------\ |Peter
|> Grace                  Phone: 484-875-9462 |Technology Analyst Fax:
|> 484-875-9461 |RealTime Technologies, Inc.   Cell: 484-919-1400 |835
|> Springdale Drive, Suite 101 |Exton, PA  19341
|> \------------------------------------------------/
|
|
| - To unsubscribe from this list: send the line "unsubscribe
| linux-kernel" in the body of a message to majordomo@vger.kernel.org
| More majordomo info at  http://vger.kernel.org/majordomo-info.html
| Please read the FAQ at  http://www.tux.org/lkml/
|
|

- --
- ---
/------------------------------------------------\
|Peter Grace                  Phone: 484-875-9462
|Technology Analyst             Fax: 484-875-9461
|RealTime Technologies, Inc.   Cell: 484-919-1400
|835 Springdale Drive, Suite 101
|Exton, PA  19341
\------------------------------------------------/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFAMOD61bytwQSw7hoRArt8AKDqSz5rlfG7iTQaux+ffo3Okm4NjQCaAx61
S07okkmMvc6TvUyyjm60WbY=
=W30I
-----END PGP SIGNATURE-----