* Fwd: question about using conntrack to change the mark
[not found] <CAAUX2SVTLxtpzsMnKWCpjRZwAKn391rm5T=y=oHPQ_T1w2UpBA@mail.gmail.com>
@ 2023-08-21 7:44 ` Tony He
2023-08-21 10:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Tony He @ 2023-08-21 7:44 UTC (permalink / raw)
To: netfilter
Hi,
I am using Openwrt. The version is:
root@OpenWrt:/# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.0-rc2'
DISTRIB_REVISION='r23228-cd17d8df2a'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a'
DISTRIB_TAINTS=''
And kernel is:
root@OpenWrt:/# uname -a
Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux
Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark.
root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l
conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown.
302
root@OpenWrt:/# conntrack -U -p tcp -m 1
Operation failed: Not supported
conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
I need to add option "-f ipv4", but not all entries can be updated
successfully. "Protocol error" is
reported.
root@OpenWrt:/# conntrack -U -p tcp -f ipv4 -m 1
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47592
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47592 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46262
dport=80 packets=11 bytes=702 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46262 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46820
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46820 packets=10 bytes=14369 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46888
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46888 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46304
dport=80 packets=13 bytes=882 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46304 packets=11 bytes=14421 [ASSURED] mark=1 use=2
tcp 6 47 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46638
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46638 packets=8 bytes=12817 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47416
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47416 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48636
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48636 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47124
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47124 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46400
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46400 packets=12 bytes=17369 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45832
dport=80 packets=11 bytes=754 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45832 packets=12 bytes=21713 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47132
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47132 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46816
dport=80 packets=10 bytes=642 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46816 packets=11 bytes=17487 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47764
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47764 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47418
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47418 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48214
dport=80 packets=10 bytes=662 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48214 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46834
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46834 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48376
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48376 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47514
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47514 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46348
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46348 packets=11 bytes=13782 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47422
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47422 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47264
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47264 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48428
dport=80 packets=12 bytes=806 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48428 packets=10 bytes=18713 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48692
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48692 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48666
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48666 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48218
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48218 packets=9 bytes=17213 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46210
dport=80 packets=11 bytes=726 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46210 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 47 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46292
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46292 packets=12 bytes=18178 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48074
dport=80 packets=12 bytes=814 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48074 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46798
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46798 packets=10 bytes=20970 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46294
dport=80 packets=11 bytes=658 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46294 packets=13 bytes=14525 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46034
dport=80 packets=13 bytes=910 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46034 packets=13 bytes=20317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48330
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48330 packets=10 bytes=17435 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46228
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46228 packets=10 bytes=15178 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48210
dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48210 packets=8 bytes=12987 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45862
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45862 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45872
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45872 packets=12 bytes=18817 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47248
dport=80 packets=11 bytes=706 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47248 packets=10 bytes=17265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48614
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48614 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48702
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48702 packets=2 bytes=112 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48622
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48622 packets=10 bytes=18713 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46846
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46846 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46376
dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46376 packets=12 bytes=17369 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47154
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47154 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47846
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47846 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46952
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46952 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47336
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47336 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46900
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46900 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46964
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46964 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47852
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47852 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48552
dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48552 packets=8 bytes=13626 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48142
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48142 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46604
dport=80 packets=10 bytes=674 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46604 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46182
dport=80 packets=9 bytes=554 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46182 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46620
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46620 packets=10 bytes=17265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48086
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48086 packets=10 bytes=22418 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48684
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48684 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48564
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48564 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46722
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46722 packets=12 bytes=21074 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47290
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47290 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47098
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47098 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46042
dport=80 packets=12 bytes=786 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46042 packets=14 bytes=22626 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46336
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46336 packets=10 bytes=12921 [ASSURED] mark=1 use=2
tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47332
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47332 packets=7 bytes=11317 [ASSURED] mark=1 use=2
Operation failed: Protocol error
conntrack v1.4.7 (conntrack-tools): Operation failed: Protocol error
root@OpenWrt:/# conntrack -L -p tcp |grep mark=1 |wc -l
conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown.
191
This issue can NOT be reproduced in another openwrt version. Both the
kernel and conntrack
version (v1.4.7 vs v1.4.6) are differnet.
root@OpenWrt:/# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='22.03.5'
DISTRIB_REVISION='r20134-5f15225c1e'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 22.03.5 r20134-5f15225c1e'
DISTRIB_TAINTS=''.
And kernel version is:
root@OpenWrt:/# uname -a
Linux OpenWrt 5.10.176 #0 SMP Thu Apr 27 20:28:15 2023 armv7l GNU/Linux
I can use command "conntrack -U -p tcp -m 1" without option "-f ipv4"
to update all entries successfully. Anything
change in kernel or user space conntrack tool to cause this different
behavior? Thanks!
root@OpenWrt:/# conntrack -U -p tcp -m 1
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48476
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48476 packets=8 bytes=15074 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46914
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46914 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49240
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=49240 packets=8 bytes=13626 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49398
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=49398 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49152
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=49152 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49402
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=49402 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48646
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48646 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48990
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48990 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48834
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=48834 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47706
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=47706 packets=9 bytes=14317 [ASSURED] mark=1 use=2
.......................
.......................
conntrack v1.4.6 (conntrack-tools): 319 flow entries have been updated.
Tony
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-21 7:44 ` Fwd: question about using conntrack to change the mark Tony He
@ 2023-08-21 10:29 ` Pablo Neira Ayuso
2023-08-21 11:26 ` Tony He
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2023-08-21 10:29 UTC (permalink / raw)
To: Tony He; +Cc: netfilter
On Mon, Aug 21, 2023 at 03:44:54PM +0800, Tony He wrote:
> Hi,
>
> I am using Openwrt. The version is:
> root@OpenWrt:/# cat /etc/openwrt_release
> DISTRIB_ID='OpenWrt'
> DISTRIB_RELEASE='23.05.0-rc2'
> DISTRIB_REVISION='r23228-cd17d8df2a'
> DISTRIB_TARGET='ipq806x/generic'
> DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
> DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a'
> DISTRIB_TAINTS=''
>
> And kernel is:
> root@OpenWrt:/# uname -a
> Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux
>
>
> Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark.
> root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l
> conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown.
> 302
> root@OpenWrt:/# conntrack -U -p tcp -m 1
> Operation failed: Not supported
> conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
Please, try this patch:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> I need to add option "-f ipv4", but not all entries can be updated
> successfully. "Protocol error" is reported.
EPROTO means netlink sequence numbers are not fine, which might refer
to another userspace bug.
I made another patch, error handling was not robust in the -U case (no
exit_error was used, instead printf).
Also try this patch on of the previous patch.
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
Thanks for reporting.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-21 10:29 ` Pablo Neira Ayuso
@ 2023-08-21 11:26 ` Tony He
2023-08-21 12:02 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Tony He @ 2023-08-21 11:26 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hi Pablo,
Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道:
>
> On Mon, Aug 21, 2023 at 03:44:54PM +0800, Tony He wrote:
> > Hi,
> >
> > I am using Openwrt. The version is:
> > root@OpenWrt:/# cat /etc/openwrt_release
> > DISTRIB_ID='OpenWrt'
> > DISTRIB_RELEASE='23.05.0-rc2'
> > DISTRIB_REVISION='r23228-cd17d8df2a'
> > DISTRIB_TARGET='ipq806x/generic'
> > DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
> > DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a'
> > DISTRIB_TAINTS=''
> >
> > And kernel is:
> > root@OpenWrt:/# uname -a
> > Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux
> >
> >
> > Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark.
> > root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l
> > conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown.
> > 302
> > root@OpenWrt:/# conntrack -U -p tcp -m 1
> > Operation failed: Not supported
> > conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
>
> Please, try this patch:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
This patch works when the conntrack sessions are not many. When there are about
300 sessions, another error "No buffer space available" is reported.
Works when sessions are not many:
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown.
204
root@OpenWrt:~# ./conntrack -U -p tcp -m 1
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58130
dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58130 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58858
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58858 packets=9 bytes=15765 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59750
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59750 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59644
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59644 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58312
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58312 packets=12 bytes=23161 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57910
dport=80 packets=11 bytes=754 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57910 packets=13 bytes=22574 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58276
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58276 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59336
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59336 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59238
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59238 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59514
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59514 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59104
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59104 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58170
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58170 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58502
dport=80 packets=9 bytes=554 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58502 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59744
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59744 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58556
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58556 packets=12 bytes=18817 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59464
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59464 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59232
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59232 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58806
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58806 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59716
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59716 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59550
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59550 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59240
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59240 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57942
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57942 packets=11 bytes=16678 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58292
dport=80 packets=10 bytes=642 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58292 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59190
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59190 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57876
dport=80 packets=10 bytes=618 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57876 packets=11 bytes=15230 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59540
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59540 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58626
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58626 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59016
dport=80 packets=8 bytes=514 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59016 packets=7 bytes=12126 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59630
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59630 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58584
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58584 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58458
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58458 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59604
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59604 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59252
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59252 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59598
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59598 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58810
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58810 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58196
dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58196 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57922
dport=80 packets=13 bytes=870 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57922 packets=12 bytes=16730 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58844
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58844 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57944
dport=80 packets=12 bytes=798 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57944 packets=13 bytes=19039 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59192
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59192 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58236
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58236 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59350
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59350 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58450
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58450 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58992
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58992 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59570
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59570 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57916
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57916 packets=15 bytes=28470 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58716
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58716 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 110 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58652
dport=80 packets=13 bytes=874 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58652 packets=11 bytes=15869 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59266
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59266 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57852
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57852 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59280
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59280 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58476
dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58476 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59296
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59296 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58028
dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58028 packets=12 bytes=15921 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59396
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59396 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58404
dport=80 packets=10 bytes=674 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58404 packets=14 bytes=21817 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59704
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59704 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58316
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58316 packets=13 bytes=21126 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58432
dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58432 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59410
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59410 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58188
dport=80 packets=11 bytes=726 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58188 packets=13 bytes=15973 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58392
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58392 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59114
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59114 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58890
dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58890 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58548
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58548 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59068
dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59068 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58358
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58358 packets=11 bytes=21661 [ASSURED] mark=1 use=2
tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59020
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59020 packets=7 bytes=11317 [ASSURED] mark=1 use=2
conntrack v1.4.7 (conntrack-tools): 203 flow entries have been updated.
Many conntions:
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 313 flow entries have been shown.
313
root@OpenWrt:~# ./conntrack -U -p tcp -m 1
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44998
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44998 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45460
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45460 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46376
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46376 packets=8 bytes=15713 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44002
dport=80 packets=11 bytes=694 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44002 packets=12 bytes=18178 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44250
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44250 packets=11 bytes=20213 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44056
dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44056 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44642
dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44642 packets=11 bytes=19574 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45632
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45632 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43932
dport=80 packets=11 bytes=714 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43932 packets=16 bytes=24178 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45228
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45228 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44246
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44246 packets=13 bytes=21765 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45010
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45010 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46366
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46366 packets=10 bytes=19522 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44192
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44192 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44964
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44964 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45686
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45686 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46008
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46008 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45666
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45666 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46262
dport=80 packets=12 bytes=834 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46262 packets=12 bytes=21074 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45560
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45560 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44124
dport=80 packets=12 bytes=818 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44124 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44816
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44816 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45022
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45022 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43922
dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43922 packets=12 bytes=21074 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44154
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44154 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46130
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46130 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44908
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44908 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43858
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43858 packets=11 bytes=20213 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45680
dport=80 packets=11 bytes=706 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45680 packets=10 bytes=17265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45078
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45078 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44360
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44360 packets=10 bytes=14369 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46050
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46050 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45752
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45752 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44164
dport=80 packets=13 bytes=930 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44164 packets=15 bytes=23317 [ASSURED] mark=1 use=2
tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43914
dport=80 packets=12 bytes=830 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43914 packets=13 bytes=18869 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46330
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46330 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45120
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45120 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44584
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44584 packets=10 bytes=15178 [ASSURED] mark=1 use=2
tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44476
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44476 packets=11 bytes=15869 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45546
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45546 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46278
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46278 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43790
dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43790 packets=14 bytes=22626 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44984
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44984 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44968
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44968 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44560
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44560 packets=2 bytes=112 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43758
dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43758 packets=15 bytes=27022 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44798
dport=80 packets=12 bytes=806 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44798 packets=10 bytes=18713 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46422
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46422 packets=2 bytes=112 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46206
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46206 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44432
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44432 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43948
dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43948 packets=10 bytes=14539 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44906
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44906 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44274
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44274 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45172
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45172 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46194
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46194 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45454
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45454 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44614
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44614 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43906
dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43906 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44680
dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44680 packets=10 bytes=18074 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45690
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45690 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44726
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44726 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45094
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45094 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43844
dport=80 packets=8 bytes=526 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43844 packets=8 bytes=14265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46344
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46344 packets=8 bytes=12817 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45712
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45712 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44682
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44682 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43918
dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43918 packets=13 bytes=21765 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44048
dport=80 packets=10 bytes=682 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44048 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2
conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available
>
> > I need to add option "-f ipv4", but not all entries can be updated
> > successfully. "Protocol error" is reported.
>
> EPROTO means netlink sequence numbers are not fine, which might refer
> to another userspace bug.
>
> I made another patch, error handling was not robust in the -U case (no
> exit_error was used, instead printf).
>
> Also try this patch on of the previous patch.
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
I will test this patch after above issue is fixed.
>
> Thanks for reporting.
Tony
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-21 11:26 ` Tony He
@ 2023-08-21 12:02 ` Pablo Neira Ayuso
2023-08-22 2:11 ` Tony He
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2023-08-21 12:02 UTC (permalink / raw)
To: Tony He; +Cc: netfilter
On Mon, Aug 21, 2023 at 07:26:54PM +0800, Tony He wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道:
[...]
> > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
>
> This patch works when the conntrack sessions are not many. When there are about
> 300 sessions, another error "No buffer space available" is reported.
>
> Works when sessions are not many:
> root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown.
> 204
> root@OpenWrt:~# ./conntrack -U -p tcp -m 1
[...]
> tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714
> dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available
Another patch to fix this issue, thanks for reporting:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-21 12:02 ` Pablo Neira Ayuso
@ 2023-08-22 2:11 ` Tony He
2023-08-22 8:51 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Tony He @ 2023-08-22 2:11 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hi Pablo,
Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 20:02写道:
>
> On Mon, Aug 21, 2023 at 07:26:54PM +0800, Tony He wrote:
> > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道:
> [...]
> > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> >
> > This patch works when the conntrack sessions are not many. When there are about
> > 300 sessions, another error "No buffer space available" is reported.
> >
> > Works when sessions are not many:
> > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> > conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown.
> > 204
> > root@OpenWrt:~# ./conntrack -U -p tcp -m 1
> [...]
> > tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714
> > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> > dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available
>
> Another patch to fix this issue, thanks for reporting:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
I confirm this issue have been fixed. I even tried about 1000 flow entries.
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown.
1024
root@OpenWrt:~# ./conntrack -U -p tcp -m 1
tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83
sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83
dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED]
mark=1 use=2
tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2
......
conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated.
After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems
that we don't need patch
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
We only need
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
and
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
Does it make sense at source code level?
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 1027 flow entries have been shown.
1027
root@OpenWrt:~# ./conntrack -U -p tcp -f ipv4 -m 1
tcp 6 64 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43410
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43410 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 68 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44160
dport=80 packets=5 bytes=268 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44160 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp 6 63 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=39350
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=39350 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp 6 64 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45470
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45470 packets=9 bytes=13678 [ASSURED] mark=1 use=2
......
......
conntrack v1.4.7 (conntrack-tools): 1026 flow entries have been updated.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-22 2:11 ` Tony He
@ 2023-08-22 8:51 ` Pablo Neira Ayuso
2023-08-22 9:46 ` Tony He
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2023-08-22 8:51 UTC (permalink / raw)
To: Tony He; +Cc: netfilter
On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote:
[...]
> I confirm this issue have been fixed. I even tried about 1000 flow entries.
> root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown.
> 1024
> root@OpenWrt:~# ./conntrack -U -p tcp -m 1
> tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83
> sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83
> dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED]
> mark=1 use=2
> tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656
> dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000
> dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2
> tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730
> dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> ......
> conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated.
>
> After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems
> that we don't need patch
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
This is also required because conntrack -U/-D dumps the table from the
kernel, then it iterates over the list of entries. If the entry
expires, -U/-D will hit ENOENT, which should be ignored. This is
another regressions from 1.4.6.
> We only need
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> and
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
Applied, thanks for reporting.
I have also pushed out this test:
f088ba22246b ("tests/conntrack: add initial stress test for conntrack")
which covers these two bugs.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-22 8:51 ` Pablo Neira Ayuso
@ 2023-08-22 9:46 ` Tony He
2023-08-22 10:00 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Tony He @ 2023-08-22 9:46 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道:
>
> On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote:
> [...]
> > I confirm this issue have been fixed. I even tried about 1000 flow entries.
> > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown.
> > 1024
> > root@OpenWrt:~# ./conntrack -U -p tcp -m 1
> > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83
> > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83
> > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED]
> > mark=1 use=2
> > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656
> > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000
> > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2
> > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730
> > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > ......
> > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated.
> >
> > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems
> > that we don't need patch
> >
> > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
>
> This is also required because conntrack -U/-D dumps the table from the
> kernel, then it iterates over the list of entries. If the entry
> expires, -U/-D will hit ENOENT, which should be ignored. This is
> another regressions from 1.4.6.
Sorry, I still don't quite understand. I mean if we don't add [1] and
[2] , I can reproduce "Protocol error".
However, after adding above [1] and [2], I can not reproduce "Protocol
error" even though [3] is not added.
Is [3] used to fix "Protocol error"? If yes, why it can not be
reproduced by me? My test env is not changed.
[1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
[2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
[3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
>
> > We only need
> > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> > and
> > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
>
> Applied, thanks for reporting.
>
> I have also pushed out this test:
>
> f088ba22246b ("tests/conntrack: add initial stress test for conntrack")
>
> which covers these two bugs.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-22 9:46 ` Tony He
@ 2023-08-22 10:00 ` Pablo Neira Ayuso
2023-08-22 10:09 ` Tony He
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2023-08-22 10:00 UTC (permalink / raw)
To: Tony He; +Cc: netfilter
On Tue, Aug 22, 2023 at 05:46:06PM +0800, Tony He wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道:
> >
> > On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote:
> > [...]
> > > I confirm this issue have been fixed. I even tried about 1000 flow entries.
> > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> > > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown.
> > > 1024
> > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1
> > > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83
> > > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83
> > > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED]
> > > mark=1 use=2
> > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656
> > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000
> > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2
> > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730
> > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > > ......
> > > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated.
> > >
> > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems
> > > that we don't need patch
> > >
> > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
> >
> > This is also required because conntrack -U/-D dumps the table from the
> > kernel, then it iterates over the list of entries. If the entry
> > expires, -U/-D will hit ENOENT, which should be ignored. This is
> > another regressions from 1.4.6.
>
> Sorry, I still don't quite understand. I mean if we don't add [1] and
> [2] , I can reproduce "Protocol error".
> However, after adding above [1] and [2], I can not reproduce "Protocol
> error" even though [3] is not added.
> Is [3] used to fix "Protocol error"? If yes, why it can not be
> reproduced by me? My test env is not changed.
>
> [1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> [2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
> [3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
[1] and [2] are sufficient to fix the problems that you reported.
[3] is a different issue that you did not report that I found while
reviewing this code.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark
2023-08-22 10:00 ` Pablo Neira Ayuso
@ 2023-08-22 10:09 ` Tony He
0 siblings, 0 replies; 9+ messages in thread
From: Tony He @ 2023-08-22 10:09 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
OK, thanks for clarifying. Below mail causes the misunderstanding.
> > I need to add option "-f ipv4", but not all entries can be updated
> > successfully. "Protocol error" is reported.
>
> EPROTO means netlink sequence numbers are not fine, which might refer
> to another userspace bug.
>
> I made another patch, error handling was not robust in the -U case (no
> exit_error was used, instead printf).
>
> Also try this patch on of the previous patch.
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 18:00写道:
>
> On Tue, Aug 22, 2023 at 05:46:06PM +0800, Tony He wrote:
> > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道:
> > >
> > > On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote:
> > > [...]
> > > > I confirm this issue have been fixed. I even tried about 1000 flow entries.
> > > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
> > > > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown.
> > > > 1024
> > > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1
> > > > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83
> > > > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83
> > > > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED]
> > > > mark=1 use=2
> > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656
> > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000
> > > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2
> > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730
> > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
> > > > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2
> > > > ......
> > > > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated.
> > > >
> > > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems
> > > > that we don't need patch
> > > >
> > > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
> > >
> > > This is also required because conntrack -U/-D dumps the table from the
> > > kernel, then it iterates over the list of entries. If the entry
> > > expires, -U/-D will hit ENOENT, which should be ignored. This is
> > > another regressions from 1.4.6.
> >
> > Sorry, I still don't quite understand. I mean if we don't add [1] and
> > [2] , I can reproduce "Protocol error".
> > However, after adding above [1] and [2], I can not reproduce "Protocol
> > error" even though [3] is not added.
> > Is [3] used to fix "Protocol error"? If yes, why it can not be
> > reproduced by me? My test env is not changed.
> >
> > [1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/
> > [2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/
> > [3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/
>
> [1] and [2] are sufficient to fix the problems that you reported.
>
> [3] is a different issue that you did not report that I found while
> reviewing this code.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-08-22 10:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAAUX2SVTLxtpzsMnKWCpjRZwAKn391rm5T=y=oHPQ_T1w2UpBA@mail.gmail.com>
2023-08-21 7:44 ` Fwd: question about using conntrack to change the mark Tony He
2023-08-21 10:29 ` Pablo Neira Ayuso
2023-08-21 11:26 ` Tony He
2023-08-21 12:02 ` Pablo Neira Ayuso
2023-08-22 2:11 ` Tony He
2023-08-22 8:51 ` Pablo Neira Ayuso
2023-08-22 9:46 ` Tony He
2023-08-22 10:00 ` Pablo Neira Ayuso
2023-08-22 10:09 ` Tony He
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.