problem with connection tracking with fragmentation needed icmp error

problem with connection tracking with fragmentation needed icmp error

[Nishit Shah]

Hi,

I have a following setup

machineA ------------------------------router -------------------------- 
firewall ------------------------------------ machineB
172.16.16.2              172.16.16.1    9.9.9.1          9.9.9.2
192.168.1.1                       192.168.1.2


router has two interfaces, eth0 is connected to machineA with mtu of 1000,
all other interfaces with mtu of 1500.
if i ping from machineA to machineB with data size 1200 and DF bit set,
packet will reach machineB, machineB will reply with DF bit set and data
size 1200,
upon receving this packet router sends icmp fragmentation needed and DF bit
set message to machineB, when this packet comes to firewall conntrack marks
that packet's state as INVALID. is it the valid case ??

Regards,
Nishit Shah.

Re: problem with connection tracking with fragmentation needed icmp error

[Patrick McHardy]

Nishit Shah wrote:
> Hi,
> 
> I have a following setup
> 
> machineA ------------------------------router -------------------------- 
> firewall ------------------------------------ machineB
> 172.16.16.2              172.16.16.1    9.9.9.1          9.9.9.2
> 192.168.1.1                       192.168.1.2
> 
> 
> router has two interfaces, eth0 is connected to machineA with mtu of 1000,
> all other interfaces with mtu of 1500.
> if i ping from machineA to machineB with data size 1200 and DF bit set,
> packet will reach machineB, machineB will reply with DF bit set and data
> size 1200,
> upon receving this packet router sends icmp fragmentation needed and DF bit
> set message to machineB, when this packet comes to firewall conntrack marks
> that packet's state as INVALID. is it the valid case ??

I don't see how this can happen on current kernels that manually
associate locally generated ICMP errors with the original conntrack.
What kernel version are you running on the router?

Re: problem with connection tracking with fragmentation needed icmp error

[Nishit Shah]

Well,
            router and firewall both running with kernel 2.6.16.13 and one
more thing, i got invalid state on firewall not on router, i am not running
conntrack on router machine.(i guess firewall machine is not able to relate
this error msg with existing conntrack entry)

Regards,
Nishit Shah.

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Nishit Shah" <nishit@elitecore.com>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Friday, November 03, 2006 3:49 PM
Subject: Re: problem with connection tracking with fragmentation needed icmp
error


> Nishit Shah wrote:
> > Hi,
> >
> > I have a following setup
> >
> > machineA ------------------------------router -------------------------- 
> > firewall ------------------------------------ machineB
> > 172.16.16.2              172.16.16.1    9.9.9.1          9.9.9.2
> > 192.168.1.1                       192.168.1.2
> >
> >
> > router has two interfaces, eth0 is connected to machineA with mtu of
1000,
> > all other interfaces with mtu of 1500.
> > if i ping from machineA to machineB with data size 1200 and DF bit set,
> > packet will reach machineB, machineB will reply with DF bit set and data
> > size 1200,
> > upon receving this packet router sends icmp fragmentation needed and DF
bit
> > set message to machineB, when this packet comes to firewall conntrack
marks
> > that packet's state as INVALID. is it the valid case ??
>
> I don't see how this can happen on current kernels that manually
> associate locally generated ICMP errors with the original conntrack.
> What kernel version are you running on the router?
>
>
>

Re: problem with connection tracking with fragmentation needed icmp error

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

Nishit Shah wrote:
> Well,
>             router and firewall both running with kernel 2.6.16.13 and one
> more thing, i got invalid state on firewall not on router, i am not running
> conntrack on router machine.(i guess firewall machine is not able to relate
> this error msg with existing conntrack entry)

The reason for this is that ICMP connection tracking entries get
destroyed once a reply has been seen for every outstanding request.
So when the ICMP error arrives there is no connection it relates
to, so it is considered invalid. We could change this to keep
it alive for some short period of time.

Does this patch help?

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1135 bytes --]

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 295b6fa..b62f8bb 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -21,6 +21,7 @@ #include <linux/netfilter_ipv4/ip_conntr
 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
 
+unsigned int ip_ct_icmp_timeout_replied __read_mostly = HZ + HZ/2;
 unsigned int ip_ct_icmp_timeout __read_mostly = 30*HZ;
 
 #if 0
@@ -98,9 +99,9 @@ static int icmp_packet(struct ip_conntra
            means this will only run once even if count hits zero twice
            (theoretically possible with SMP) */
 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
-		if (atomic_dec_and_test(&ct->proto.icmp.count)
-		    && del_timer(&ct->timeout))
-			ct->timeout.function((unsigned long)ct);
+		if (atomic_dec_and_test(&ct->proto.icmp.count))
+			ip_ct_refresh_acct(ct, ctinfo, skb,
+					   ip_ct_icmp_timeout_replied);
 	} else {
 		atomic_inc(&ct->proto.icmp.count);
 		ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);

Re: problem with connection tracking with fragmentation needed icmp error

[Nishit Shah]

Thanks Patrick,
                It works for me.Also, regarding our previous discussion
regarding soft lockup in case of NAT, right now i don't have that load
testing machine. once I have that, will get back to you.

Regards,
Nishit Shah.

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Nishit Shah" <nishit@elitecore.com>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Friday, November 03, 2006 4:14 PM
Subject: Re: problem with connection tracking with fragmentation needed icmp
error


> Nishit Shah wrote:
> > Well,
> >             router and firewall both running with kernel 2.6.16.13 and
one
> > more thing, i got invalid state on firewall not on router, i am not
running
> > conntrack on router machine.(i guess firewall machine is not able to
relate
> > this error msg with existing conntrack entry)
>
> The reason for this is that ICMP connection tracking entries get
> destroyed once a reply has been seen for every outstanding request.
> So when the ICMP error arrives there is no connection it relates
> to, so it is considered invalid. We could change this to keep
> it alive for some short period of time.
>
> Does this patch help?
>


----------------------------------------------------------------------------
----


> diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
> index 295b6fa..b62f8bb 100644
> --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
> +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
> @@ -21,6 +21,7 @@ #include <linux/netfilter_ipv4/ip_conntr
>  #include <linux/netfilter_ipv4/ip_conntrack_core.h>
>  #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
>
> +unsigned int ip_ct_icmp_timeout_replied __read_mostly = HZ + HZ/2;
>  unsigned int ip_ct_icmp_timeout __read_mostly = 30*HZ;
>
>  #if 0
> @@ -98,9 +99,9 @@ static int icmp_packet(struct ip_conntra
>             means this will only run once even if count hits zero twice
>             (theoretically possible with SMP) */
>   if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
> - if (atomic_dec_and_test(&ct->proto.icmp.count)
> -     && del_timer(&ct->timeout))
> - ct->timeout.function((unsigned long)ct);
> + if (atomic_dec_and_test(&ct->proto.icmp.count))
> + ip_ct_refresh_acct(ct, ctinfo, skb,
> +    ip_ct_icmp_timeout_replied);
>   } else {
>   atomic_inc(&ct->proto.icmp.count);
>   ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
>

Re: problem with connection tracking with fragmentation needed icmp error

[Patrick McHardy]

Nishit Shah wrote:
> Thanks Patrick,
>                 It works for me.Also, regarding our previous discussion
> regarding soft lockup in case of NAT, right now i don't have that load
> testing machine. once I have that, will get back to you.


Thanks. I need to think about this patch a bit more before putting it in.