All of lore.kernel.org
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: Aleksandar Milivojevic <alex@milivojevic.org>
Cc: netfilter-devel@lists.netfilter.org, netfilter@lists.netfilter.org
Subject: Re: Netfilter connection tracking and GRE/IPSec
Date: Sun, 04 Dec 2005 17:15:18 +0100	[thread overview]
Message-ID: <43931616.8050705@trash.net> (raw)
In-Reply-To: <20051202104046.v6z10kbwn40k4440@www.milivojevic.org>

Aleksandar Milivojevic wrote:
> I've just submitted bug report on Red Hat's bugzilla, and felt like discussing
> on Netfilter list too.
> 
> What happens is, for connections that go through GRE tunnel (wich is in turn
> encapsulated into IPSec tunnel), ip_conntrack is loosing connection tracking
> information.  The connection is sucessfully established, works for some period
> of time (random, I observed anywhere from several minutes to up to one hour). 
> I can see entry for it in /proc/net/ip_conntrack.  Then all the sudden
> Netfilter starts dropping packets belonging to this TCP connection.  When I
> check /proc/net/ip_conntrack on remote side (always happens on remote side of
> the tunnel, although both sides are the same), the entry for this TCP
> connection is no longer there.

The problem is the handling of IPsec packets, not GRE. I'm working on
a couple of patches to resolve this, hopefully I'll finish them in time
for 2.6.16.



      reply	other threads:[~2005-12-04 16:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-12-02 16:40 Netfilter connection tracking and GRE/IPSec Aleksandar Milivojevic
2005-12-04 16:15 ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43931616.8050705@trash.net \
    --to=kaber@trash.net \
    --cc=alex@milivojevic.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.