Re: conntrack bug? - Pablo Neira Ayuso

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jason Stubbs <j.stubbs@linkthink.co.jp>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: conntrack bug?
Date: Fri, 18 Apr 2008 19:57:14 +0200	[thread overview]
Message-ID: <4808E0FA.9020902@netfilter.org> (raw)
In-Reply-To: <200804181343.25640.j.stubbs@linkthink.co.jp>

Jason Stubbs wrote:
> Hi,
> 
> While testing patches for IPVS, I found a strange behaviour of conntrack that 
> happens on an unpatched kernel too (2.6.24.4). Given the following rules:
> 
> iptables -A FORWARD -p tcp -d 192.168.1.3 --dport 80 \
>                     -m state --state NEW -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -P FORWARD DROP
> 
> And a network setup where replies from 192.168.1.3 don't go via the same 
> machine - ie, they appear to be being dropped - the following conntrack entry 
> appears when sending only an ACK packet to 192.168.1.3:
> 
> ipv4     2 tcp      6 431684 ESTABLISHED src=192.168.0.104 dst=192.168.1.3 
> sport=12345 dport=80 packets=2 bytes=95 [UNREPLIED] src=192.168.1.3 
> dst=192.168.0.104 sport=80 dport=12345 packets=0 bytes=0 mark=0 use=1
> 
> If a SYN has been sent the following state appears and no traffic (including 
> an ACK) is allowed to pass:
> 
> ipv4     2 tcp      6 119 SYN_SENT src=192.168.0.104 dst=192.168.1.3 
> sport=23456 dport=80 packets=1 bytes=50 [UNREPLIED] src=192.168.1.3 
> dst=192.168.0.104 sport=80 dport=23456 packets=0 bytes=0 mark=0 use=1
> 
> I would think that behaviour to be correct, but an entry appearing when only 
> an ACK packet has been sent seems wrong. Is it a bug or intentional?

Probably cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose says 1?

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

     prev parent reply	other threads:[~2008-04-18 17:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-18  4:43 conntrack bug? Jason Stubbs
2008-04-18  5:14 ` Jason Stubbs
2008-04-18 17:57 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4808E0FA.9020902@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=j.stubbs@linkthink.co.jp \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.