bug in icmp tracking?

bug in icmp tracking?

[Pablo Neira]

Hi list,

I sent some ICMP echo's request and I received the echo's reply with no 
problems but the conntrack doesn't track them.

This is because the value returned by icmp_error_track called from 
ip_conntrack_in.

snipped from icmp_error_track(...):

514         if (inside.icmp.type != ICMP_DEST_UNREACH
515             && inside.icmp.type != ICMP_SOURCE_QUENCH
516             && inside.icmp.type != ICMP_TIME_EXCEEDED
517             && inside.icmp.type != ICMP_PARAMETERPROB
518             && inside.icmp.type != ICMP_REDIRECT)
519                 return NULL;

I also had a look at the docs and I didn't find anything like "icmp are 
not tracked because of something...".

So, is this a bug or a feature?

regards,
Pablo

Re: bug in icmp tracking?

[Patrick McHardy]

Pablo Neira wrote:
> Hi list,
> 
> I sent some ICMP echo's request and I received the echo's reply with no 
> problems but the conntrack doesn't track them.
> 
> This is because the value returned by icmp_error_track called from 
> ip_conntrack_in.
> 
> snipped from icmp_error_track(...):
> 
> 514         if (inside.icmp.type != ICMP_DEST_UNREACH
> 515             && inside.icmp.type != ICMP_SOURCE_QUENCH
> 516             && inside.icmp.type != ICMP_TIME_EXCEEDED
> 517             && inside.icmp.type != ICMP_PARAMETERPROB
> 518             && inside.icmp.type != ICMP_REDIRECT)
> 519                 return NULL;
> 
> I also had a look at the docs and I didn't find anything like "icmp are 
> not tracked because of something...".
> 
> So, is this a bug or a feature?

Neither of both, you looked in the wrong place ;)
This function only tracks ICMP errors, ICMP echo-request messages
are handled by ip_conntrack_proto_icmp .. the conntrack entry
itself is removed immediately when there are no more outstanding
replies.

Regards
Patrick

> 
> regards,
> Pablo
> 

Re: bug in icmp tracking?

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 1569 bytes --]

On Tue, 2004-03-09 at 20:44, Pablo Neira wrote:
> Hi list,
> 
> I sent some ICMP echo's request and I received the echo's reply with no 
> problems but the conntrack doesn't track them.

Conntrack tracks icmp-echo-requests and icmp-echo-replies just fine.

> This is because the value returned by icmp_error_track called from 
> ip_conntrack_in.
> 
> snipped from icmp_error_track(...):
> 
> 514         if (inside.icmp.type != ICMP_DEST_UNREACH
> 515             && inside.icmp.type != ICMP_SOURCE_QUENCH
> 516             && inside.icmp.type != ICMP_TIME_EXCEEDED
> 517             && inside.icmp.type != ICMP_PARAMETERPROB
> 518             && inside.icmp.type != ICMP_REDIRECT)
> 519                 return NULL;
> 
> I also had a look at the docs and I didn't find anything like "icmp are 
> not tracked because of something...".
> 
> So, is this a bug or a feature?

from ip_conntrack_in()

        /* It may be an icmp error... */
        if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
            && icmp_error_track(*pskb, &ctinfo, hooknum))
                return NF_ACCEPT;

An icmp-echo-request/reply causes icmp_error_track() to return NULL and
thus the above if-statement won't match... = the packets are tracked.
You probably won't see them in /proc/net/ip_conntrack since they are
removed as soon as the reply has been seen, which probably is around 1ms
after you were added, you have to be quite lucky in order to see them in
that file.

Apply the ctstat patch and see for yourself when you ping.

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: bug in icmp tracking?

[Pablo Neira]

Hi Martin,

Martin Josefsson wrote:

>You probably won't see them in /proc/net/ip_conntrack since they are
>removed as soon as the reply has been seen, which probably is around 1ms
>after you were added, you have to be quite lucky in order to see them in
>that file.
>  
>
Actually, this was my error, looking at /proc/net/ip_conntrack, this got 
me confused.

thanks,
Pablo