* RE: Problem with conntrack, all packet are marked as invalid.
@ 2005-08-25 14:16 Baake, Matthias
2005-08-25 19:57 ` Tien-Ren Chen
0 siblings, 1 reply; 4+ messages in thread
From: Baake, Matthias @ 2005-08-25 14:16 UTC (permalink / raw)
To: Tien-Ren Chen; +Cc: Netfilter (E-Mail)
Hi
if you have a static ip situation i would use the snat target, thats not the problem but just noticed..
please post your iptables startup script or the output of iptables-save.
one thing i've never seen before is the "ctstate" output anybody any idea?!
greets matthias
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of
> Tien-Ren Chen
> Sent: Wednesday, August 24, 2005 4:51 PM
> To: netfilter@lists.netfilter.org
> Subject: Problem with conntrack, all packet are marked as invalid.
>
>
> Hi all,
> I'm updating the kernel of my NAT box running Gentoo
> distribution, from
> 2.6.8-gentoo to 2.6.12-nitro5.
> After that, forwarding of packets from outside(the internet) to local
> seems down.
> I examined my iptables, and found this line do not catch
> packets anymore.
> 233M 167G ACCEPT all -- out in 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> I added the following rules to check what happened:
> 8 424 LOG all -- * * 140.112.90.73
> 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4
> 0 0 LOG all -- * * 140.112.90.73
> 0.0.0.0/0 ctstate NEW LOG flags 0 level 4
> 0 0 LOG all -- * * 140.112.90.73
> 0.0.0.0/0 ctstate ESTABLISHED LOG flags 0 level 4
> 0 0 LOG all -- * * 140.112.90.73
> 0.0.0.0/0 ctstate RELATED LOG flags 0 level 4
> All packets are marked as INVALID, however, connection
> tracking works well:
> $ cat /proc/net/ip_conntrack
> tcp 6 429538 ESTABLISHED src=172.21.0.2 dst=140.112.90.73
> sport=1669 dport=23 packets=440 bytes=18445 src=140.112.90.73
> dst=140.109.224.64 sport=23 dport=1669 packets=362 bytes=185484
> [ASSURED] mark=0 use=1
>
> I'm not sure if it's a netfilter bug or it's my misconfiguration.
> I tried searching on the google and the netfilter FAQs, but no luck.
> Does anyone have some clue for it? Thanks for any help.
> --
> Tien-Ren Chen, 2005/08/24.
>
> Sorry for my bad English.
> --
>
> Here's my network configuration:
> out: 140.109.224.64/24 connect to internet with static adsl
> in: 172.21.0.1/24 bridge two local networks (hub + giga)
> hub: (null) connect to my 100m switch
> giga: (null) connect to my laptop dock
>
> Here's my original iptables rules:
> Chain INPUT (policy ACCEPT 312M packets, 149G bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy DROP 67 packets, 49048 bytes)
> pkts bytes target prot opt in out source
> destination
> 233M 167G ACCEPT all -- out in 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 236M 142G ACCEPT all -- in out 0.0.0.0/0
> 0.0.0.0/0
> 1679K 86M ACCEPT tcp -- out * 0.0.0.0/0
> 172.21.0.2 tcp dpt:12664
> 10M 628M ACCEPT udp -- out * 0.0.0.0/0
> 172.21.0.2 udp dpt:12764
> 624K 33M ACCEPT tcp -- out * 0.0.0.0/0
> 172.21.0.2 tcp dpt:12666
> 41496 5019K ACCEPT all -- in in 0.0.0.0/0
> 0.0.0.0/0
> 518 25096 ACCEPT tcp -- out * 0.0.0.0/0
> 172.21.0.2 tcp dpt:80
>
> Chain OUTPUT (policy ACCEPT 471M packets, 500G bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain PREROUTING (policy ACCEPT 19M packets, 1152M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- out * 172.21.0.0/24
> 0.0.0.0/0
> 1677K 84M DNAT tcp -- out * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:12664 to:172.21.0.2
> 10M 634M DNAT udp -- out * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:12764 to:172.21.0.2
> 639K 33M DNAT tcp -- out * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:12666 to:172.21.0.2
> 362 17652 DNAT tcp -- out * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 to:172.21.0.2
>
> Chain POSTROUTING (policy ACCEPT 14M packets, 861M bytes)
> pkts bytes target prot opt in out source
> destination
> 8970K 572M MASQUERADE all -- * out 172.21.0.0/24
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 1468K packets, 126M bytes)
> pkts bytes target prot opt in out source
> destination
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with conntrack, all packet are marked as invalid.
2005-08-25 14:16 Problem with conntrack, all packet are marked as invalid Baake, Matthias
@ 2005-08-25 19:57 ` Tien-Ren Chen
0 siblings, 0 replies; 4+ messages in thread
From: Tien-Ren Chen @ 2005-08-25 19:57 UTC (permalink / raw)
To: Baake, Matthias; +Cc: netfilter
Baake, Matthias wrote:
>Hi
>
>if you have a static ip situation i would use the snat target, thats not the problem but just noticed..
>please post your iptables startup script or the output of iptables-save.
>one thing i've never seen before is the "ctstate" output anybody any idea?!
>
>greets matthias
>
>
Thank you for the SNAT target suggestion.
And I've already solved my problem by downgrading my kernel to 2.6.11.
It seems like a bug in the bridge netfilter code in 2.6.12.
I first tried to use iptables with LOG target to find where the
connection tracking info disappeared.
Even after processed by the NF_IP_PRE_ROUTING filters the packets seemed ok,
but when they went to the NF_IP_FORWARD/NF_IP_PRI_MANGLE, their ctstate
became INVALID.
Then I added some printk in the kernel sources, found the packets are
still ok even when they went to beginning of NF_IP_FORWARD hooks,
however, when they finally came to ctstate match, skb->nfct was already
cleaned with 0 (skb->nfctinfo still held correct value).
Then I examined the bridge netfilter code, I was suprised that it
blocked the packets with NF_STOP -- how did the packets go to the
NF_IP_PRI_MANGLE hook?
I tried to find document explaining what the NF_STOP does, but got
nothing except that it's something new in the 2.6.12 kernel.
At last I tried to downgrade by kernel to 2.6.11, it worked, and the
story ends.
I think the netfilter Hacking HOWTO should be updated to meet the change.
And I'm wondering what's the use of NF_STOP?
It seems little difference between NF_STOP and NF_STOLEN, but what's the
essential?
--
Tien-Ren Chen, 2005/08/26.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Problem with conntrack, all packet are marked as invalid.
@ 2005-08-24 14:50 Tien-Ren Chen
2005-08-25 17:11 ` Jiann-Ming Su
0 siblings, 1 reply; 4+ messages in thread
From: Tien-Ren Chen @ 2005-08-24 14:50 UTC (permalink / raw)
To: netfilter
Hi all,
I'm updating the kernel of my NAT box running Gentoo distribution, from
2.6.8-gentoo to 2.6.12-nitro5.
After that, forwarding of packets from outside(the internet) to local
seems down.
I examined my iptables, and found this line do not catch packets anymore.
233M 167G ACCEPT all -- out in 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
I added the following rules to check what happened:
8 424 LOG all -- * * 140.112.90.73
0.0.0.0/0 ctstate INVALID LOG flags 0 level 4
0 0 LOG all -- * * 140.112.90.73
0.0.0.0/0 ctstate NEW LOG flags 0 level 4
0 0 LOG all -- * * 140.112.90.73
0.0.0.0/0 ctstate ESTABLISHED LOG flags 0 level 4
0 0 LOG all -- * * 140.112.90.73
0.0.0.0/0 ctstate RELATED LOG flags 0 level 4
All packets are marked as INVALID, however, connection tracking works well:
$ cat /proc/net/ip_conntrack
tcp 6 429538 ESTABLISHED src=172.21.0.2 dst=140.112.90.73
sport=1669 dport=23 packets=440 bytes=18445 src=140.112.90.73
dst=140.109.224.64 sport=23 dport=1669 packets=362 bytes=185484
[ASSURED] mark=0 use=1
I'm not sure if it's a netfilter bug or it's my misconfiguration.
I tried searching on the google and the netfilter FAQs, but no luck.
Does anyone have some clue for it? Thanks for any help.
--
Tien-Ren Chen, 2005/08/24.
Sorry for my bad English.
--
Here's my network configuration:
out: 140.109.224.64/24 connect to internet with static adsl
in: 172.21.0.1/24 bridge two local networks (hub + giga)
hub: (null) connect to my 100m switch
giga: (null) connect to my laptop dock
Here's my original iptables rules:
Chain INPUT (policy ACCEPT 312M packets, 149G bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 67 packets, 49048 bytes)
pkts bytes target prot opt in out source
destination
233M 167G ACCEPT all -- out in 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
236M 142G ACCEPT all -- in out 0.0.0.0/0
0.0.0.0/0
1679K 86M ACCEPT tcp -- out * 0.0.0.0/0
172.21.0.2 tcp dpt:12664
10M 628M ACCEPT udp -- out * 0.0.0.0/0
172.21.0.2 udp dpt:12764
624K 33M ACCEPT tcp -- out * 0.0.0.0/0
172.21.0.2 tcp dpt:12666
41496 5019K ACCEPT all -- in in 0.0.0.0/0
0.0.0.0/0
518 25096 ACCEPT tcp -- out * 0.0.0.0/0
172.21.0.2 tcp dpt:80
Chain OUTPUT (policy ACCEPT 471M packets, 500G bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 19M packets, 1152M bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- out * 172.21.0.0/24
0.0.0.0/0
1677K 84M DNAT tcp -- out * 0.0.0.0/0
0.0.0.0/0 tcp dpt:12664 to:172.21.0.2
10M 634M DNAT udp -- out * 0.0.0.0/0
0.0.0.0/0 udp dpt:12764 to:172.21.0.2
639K 33M DNAT tcp -- out * 0.0.0.0/0
0.0.0.0/0 tcp dpt:12666 to:172.21.0.2
362 17652 DNAT tcp -- out * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:172.21.0.2
Chain POSTROUTING (policy ACCEPT 14M packets, 861M bytes)
pkts bytes target prot opt in out source
destination
8970K 572M MASQUERADE all -- * out 172.21.0.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1468K packets, 126M bytes)
pkts bytes target prot opt in out source
destination
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-08-25 19:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-25 14:16 Problem with conntrack, all packet are marked as invalid Baake, Matthias
2005-08-25 19:57 ` Tien-Ren Chen
-- strict thread matches above, loose matches on Subject: below --
2005-08-24 14:50 Tien-Ren Chen
2005-08-25 17:11 ` Jiann-Ming Su
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.