From: Roberto Nibali <ratz@tac.ch>
To: Netfilter Developers <netfilter-devel@lists.netfilter.org>
Cc: chris@tac.ch
Subject: strange INVALID SYN in ip_conntrack (tcp window tracking enabled) in 2.4.27 kernel
Date: Fri, 17 Dec 2004 12:07:35 +0100 [thread overview]
Message-ID: <41C2BDF7.6080509@tac.ch> (raw)
Hello,
I just wanted to know if this is a known feature of the conntrack code. When I
issue a local redirect ssh command, I get an ACCEPT followed by an INVALID on
the SYN packet but the connection still works (kernel 2.4.27).
# /foobar/bin/sshc www@172.23.139.11 -o BatchMode=yes -2 -q -f -N -p 2345 -R
1513:127.0.0.1:1514
# tail -f /var/log/kernlog
Dec 17 11:18:41 s_int@foobar tfx3: fw-tcp2fw [110] a:ACCEPT s:NEW
f:INPUT IN=eth0 OUT= SRC=172.23.139.20 DST=172.23.139.11 DF PROTO=TCP SPT=1059
DPT=2345 SYN
Dec 17 11:18:41 s_int@foobar ip_conntrack_tcp: INVALID: invalid SYN
(ignored) SRC=172.23.139.20 DST=172.23.139.11 DF PROTO=TCP SPT=1059 DPT=2345
SYN OPT (020405B40402080A0085041F0000000001030300)
The connection is established and the traffic works through the tunnel, but I'm
curious as to what could actually create those two lines. I've straced the call
but haven't found anything odd in particular.
ip_ct_tcp_log_invalid is set. Reading ip_conntrack_proto_tcp.c I learn that this
can be because we're in TCP_CONNTRACK_IGNORE state (sIG). According to the comment:
/* This SYN/ACK acknowledges a SYN that we earlier ignored
* as invalid. This means that the client and the server
* are both in sync, while the firewall is not. We kill
* this session and block the SYN/ACK so that the client
* cannot but retransmit its SYN and thus initiate a
* clean new session.
*/
From a TCP state transition point of view I reopen a new connection and thus
I've checked the /* ORIGINAL */ table which mentions following possible sIG
transitions under /*syn*/:
* sSR -> sIG Late retransmitted SYN?
* sES -> sIG Error: SYNs in window outside the SYN_SENT state
* are errors. Receiver will reply with RST
* and close the connection.
* Or we are not in sync and hold a dead connection.
* sFW -> sIG
* sCW -> sIG
* sLA -> sIG
The strange thing is that I even when I believe to be in sNO state on the packet
filter the connections is made to I get this message. I know I can safely ignore
it but I'm wondering why it is like that.
Best regards,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG Wir sichern Ihren Erfolg
-------------------------------------------------------------
next reply other threads:[~2004-12-17 11:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-17 11:07 Roberto Nibali [this message]
2004-12-17 11:32 ` strange INVALID SYN in ip_conntrack (tcp window tracking enabled) in 2.4.27 kernel Jozsef Kadlecsik
2004-12-17 12:01 ` Roberto Nibali
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41C2BDF7.6080509@tac.ch \
--to=ratz@tac.ch \
--cc=chris@tac.ch \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.