From: Daniel Drake <dsd@gentoo.org>
To: linux-kernel@vger.kernel.org, netfilter-devel@lists.netfilter.org
Subject: 2.6.12 netfilter: local packets marked as invalid
Date: Fri, 08 Jul 2005 14:59:17 +0100 [thread overview]
Message-ID: <42CE86B5.2080705@gentoo.org> (raw)
Hi,
Some Gentoo users have reported very long application startup times in 2.6.12.
This seems to be because the applications are attempting to connect to local
ports such as sunrpc/portmap (where these services are not running), but some
packets are being dropped, so the application load just pauses until the
connection times out.
There was a similar problem reported recently ("2.6.12: connection tracking
broken?"), regarding bridge devices. No bridge devices are involved here.
This is easy to reproduce, and the problem exists on both Linux 2.6.12 and
2.6.13-rc2. This was not a problem on Linux 2.6.11.
Taking a simple configuration:
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
I don't have a webserver running. If I try and telnet to port 80, I
immediately get connection refused, as expected:
# telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
I now add another rule, to drop invalid packets, and retry the telnet connection.
# iptables -A INPUT -m state --state INVALID -j DROP
# telnet 127.0.0.1 80
<very long pause>
telnet: connect to address 127.0.0.1: Connection timed out
During the pause, netstat reports the connection state as SYN_SENT:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 localhost:39066 localhost:http SYN_SENT
I now flush the filter table, and make the kernel log invalid packets:
# iptables -t filter -F
#iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "inv "
When retrying the telnet test, this appears in the logs:
Jul 8 14:53:04 dsd inv IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=15 DF PROTO=TCP SPT=80 DPT=58950 WINDOW=0
RES=0x00 ACK RST URGP=0
Does this mean that the kernel thinks its own ACK RST packet is invalid?
There is a Gentoo bug on this here:
http://bugs.gentoo.org/96948
...but I think I got the imporant info into this message.
Let me know if I can provide any more info. For those interested in a
temporary workaround, you can explicitly allow all local traffic, i.e.
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state INVALID -j DROP
Thanks.
Daniel
next reply other threads:[~2005-07-08 13:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-08 13:59 Daniel Drake [this message]
2005-07-08 14:32 ` 2.6.12 netfilter: local packets marked as invalid Patrick McHardy
2005-07-08 14:32 ` Patrick McHardy
2005-07-08 16:12 ` Daniel Drake
2005-07-12 11:58 ` Patrick McHardy
2005-07-12 11:58 ` Patrick McHardy
2005-07-12 13:21 ` Daniel Drake
2005-07-12 18:58 ` David S. Miller
2005-07-12 19:19 ` Chris Wright
2005-07-12 22:55 ` Patrick McHardy
2005-07-12 22:55 ` Patrick McHardy
2005-07-13 0:16 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42CE86B5.2080705@gentoo.org \
--to=dsd@gentoo.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.