Connection tracking and REJECT target.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anders Peter Fugmann <afu@fugmann.net>
To: netfilter@lists.netfilter.org
Subject: Connection tracking and REJECT target.
Date: Wed, 22 Feb 2006 22:10:23 +0100	[thread overview]
Message-ID: <43FCD33F.2040502@fugmann.net> (raw)

Hi,

I'm seeing some strange classification by the connection tracking system
of packets being generated by the REJECT target.

Consider the following rules:

iptables -A OUTPUT -m state --state RELATED -p tcp --sport 113 -j LOG
--log-prefix "RELATED:"
iptables -A OUTPUT -m state --state ESTABLISHED -p tcp --sport 113 -j
LOG --log-prefix "ESTABLISHED:"

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

Marks the ACK,RST packet generated to reset the TCP connection as related:

Feb 22 22:01:14 localhost kernel: RELATED:IN= OUT=eth0 SRC=10.0.0.2
DST=10.0.0.254 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=113 DPT=51889 WINDOW=0 RES=0x00 ACK RST URGP=0

I have no ident daemon running on the machine. Removing the reject rule
from the INPUT chain, makes the ACK,RST packet being marks as RELATED
as expected:

Feb 22 22:01:26 localhost kernel: ESTABLISHED:IN= OUT=eth0 SRC=10.0.0.2
DST=10.0.0.254 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=20 DF PROTO=TCP
SPT=113 DPT=51891 WINDOW=0 RES=0x00 ACK RST URGP=0

Is this intended behaviour? Are RST,SYN packets (or any other packet
generated by a REJECT rule) automatically marked as RELATED by design?

The problem is observed on Linux 2.6.15 and 2.6.16-rc4.

Regards
Anders Fugmann

next             reply	other threads:[~2006-02-22 21:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-22 21:10 Anders Peter Fugmann [this message]
2006-02-23  0:39 ` Connection tracking and REJECT target Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43FCD33F.2040502@fugmann.net \
    --to=afu@fugmann.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.