ctnetlink weird events on ipsec connections

ctnetlink weird events on ipsec connections

[Thomas]

Hello,

I recently tried the new ip_conntrack_netlink feature and I got a weird
result with ipsec connections : 
# conntrack -E conntrack
[DESTROY] src=<VPNGW_1> dst=<VPNGW_2>
          src=<VPNGW_2> dst=<VPNGW_1> timeout:180
          orig_packets=8391 orig_bytes=1252012,
          reply_packets=19 reply_bytes=11424 
[DESTROY] src=<INTERNAL_IP1> dst=<INTERNAL_IP2>
          src=<INTERNAL_IP2> dst=<INTERNAL_IP1> timeout:432000
          orig_packets=7763 orig_bytes=572775,
          reply_packets=5219 reply_bytes=1209729 
[DESTROY] src=<VPNGW_1> dst=<VPNGW_2>
          src=<VPNGW_2> dst=<VPNGW_1> timeout:180
          orig_packets=8392 orig_bytes=1252140,
          reply_packets=19 reply_bytes=11424 
[DESTROY] src=<INTERNAL_IP1> dst=<INTERNAL_IP2>
          src=<INTERNAL_IP2> dst=<INTERNAL_IP1> timeout:432000
          orig_packets=7764 orig_bytes=572827,
          reply_packets=5221 reply_bytes=1210553 
and so on ...

both INTERNAL_IP2 and VPNGW_2 ip are in the same host where I run
conntrack tool.

you can note that {orig|reply}_{packets|byte} are normally incremented
as if the connection in the conntrack was not destroyed.
It seems that two destroy events are generated for each ipsec packet.

I've just updated conntrack, libnfnetlink, libctnetlink, nfnetlink and
ctnetlink from svn.netfilter.org (updated today) and the result is the
same.

Thomas

Re: ctnetlink weird events on ipsec connections

[Pablo Neira]

Hi,

Thomas wrote:
> Hello,
> 
> I recently tried the new ip_conntrack_netlink feature and I got a weird
> result with ipsec connections : 
> # conntrack -E conntrack
> [DESTROY] src=<VPNGW_1> dst=<VPNGW_2>
>           src=<VPNGW_2> dst=<VPNGW_1> timeout:180
>           orig_packets=8391 orig_bytes=1252012,
>           reply_packets=19 reply_bytes=11424 
> [DESTROY] src=<INTERNAL_IP1> dst=<INTERNAL_IP2>
>           src=<INTERNAL_IP2> dst=<INTERNAL_IP1> timeout:432000
>           orig_packets=7763 orig_bytes=572775,
>           reply_packets=5219 reply_bytes=1209729 
> [DESTROY] src=<VPNGW_1> dst=<VPNGW_2>
>           src=<VPNGW_2> dst=<VPNGW_1> timeout:180
>           orig_packets=8392 orig_bytes=1252140,
>           reply_packets=19 reply_bytes=11424 
> [

DESTROY] src=<INTERNAL_IP1> dst=<INTERNAL_IP2>
>           src=<INTERNAL_IP2> dst=<INTERNAL_IP1> timeout:432000
>           orig_packets=7764 orig_bytes=572827,
>           reply_packets=5221 reply_bytes=1210553 
> and so on ...
> 
> both INTERNAL_IP2 and VPNGW_2 ip are in the same host where I run
> conntrack tool.

I recently posted a patch to delete the use of nfcache in ip_tables, 
this causes some interferences to the conntrack-event-api. I think that 
it could be related to your problem.

https://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html

Could you give it a try and let me know if it fixes your problem?

--
Pablo

ctnetlink weird events on ipsec connections

[Thomas]

your patch solves my problem

Thanks

Thomas

Pablo Neira wrote:
> I recently posted a patch to delete the use of nfcache in ip_tables, 
> this causes some interferences to the conntrack-event-api. I think that 
> it could be related to your problem.
> 
> https://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html
> 
> Could you give it a try and let me know if it fixes your problem?