* Netfilter connection tracking and GRE/IPSec
@ 2005-12-02 16:40 Aleksandar Milivojevic
2005-12-04 16:15 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Aleksandar Milivojevic @ 2005-12-02 16:40 UTC (permalink / raw)
To: netfilter; +Cc: netfilter-devel
I've just submitted bug report on Red Hat's bugzilla, and felt like discussing
on Netfilter list too.
What happens is, for connections that go through GRE tunnel (wich is in turn
encapsulated into IPSec tunnel), ip_conntrack is loosing connection tracking
information. The connection is sucessfully established, works for some period
of time (random, I observed anywhere from several minutes to up to one hour).
I can see entry for it in /proc/net/ip_conntrack. Then all the sudden
Netfilter starts dropping packets belonging to this TCP connection. When I
check /proc/net/ip_conntrack on remote side (always happens on remote side of
the tunnel, although both sides are the same), the entry for this TCP
connection is no longer there.
The packets are being dropped because my rules look something like this (very
simplified, just to show where the problem is):
iptables -A -m state --state ESTABLISHED -j ACCEPT
iptables -A -p icmp -m state --state RELATED -j ACCEPT
iptables -A -p tcp --syn -s xxx -d yyy --dport 22 -m state --state NEW -j ACCEPT
Once the connection is removed from ip_conntrack table, it can't get back into
it because of the "--syn" flag on the third line. Possible workaround might be
removing the "--syn" flag (security vs. usability). However, the connection
entry should have not been removed from the ip_conntrack in the first place.
Looks like it may be bug somewhere in Netfilter code.
Red Hat packaged/patched 2.6.9-22.EL kernel.
There's a bit more details on:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174827
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Netfilter connection tracking and GRE/IPSec
2005-12-02 16:40 Netfilter connection tracking and GRE/IPSec Aleksandar Milivojevic
@ 2005-12-04 16:15 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2005-12-04 16:15 UTC (permalink / raw)
To: Aleksandar Milivojevic; +Cc: netfilter-devel, netfilter
Aleksandar Milivojevic wrote:
> I've just submitted bug report on Red Hat's bugzilla, and felt like discussing
> on Netfilter list too.
>
> What happens is, for connections that go through GRE tunnel (wich is in turn
> encapsulated into IPSec tunnel), ip_conntrack is loosing connection tracking
> information. The connection is sucessfully established, works for some period
> of time (random, I observed anywhere from several minutes to up to one hour).
> I can see entry for it in /proc/net/ip_conntrack. Then all the sudden
> Netfilter starts dropping packets belonging to this TCP connection. When I
> check /proc/net/ip_conntrack on remote side (always happens on remote side of
> the tunnel, although both sides are the same), the entry for this TCP
> connection is no longer there.
The problem is the handling of IPsec packets, not GRE. I'm working on
a couple of patches to resolve this, hopefully I'll finish them in time
for 2.6.16.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-12-04 16:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-02 16:40 Netfilter connection tracking and GRE/IPSec Aleksandar Milivojevic
2005-12-04 16:15 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.