* Fwd: question about using conntrack to change the mark [not found] <CAAUX2SVTLxtpzsMnKWCpjRZwAKn391rm5T=y=oHPQ_T1w2UpBA@mail.gmail.com> @ 2023-08-21 7:44 ` Tony He 2023-08-21 10:29 ` Pablo Neira Ayuso 0 siblings, 1 reply; 9+ messages in thread From: Tony He @ 2023-08-21 7:44 UTC (permalink / raw) To: netfilter Hi, I am using Openwrt. The version is: root@OpenWrt:/# cat /etc/openwrt_release DISTRIB_ID='OpenWrt' DISTRIB_RELEASE='23.05.0-rc2' DISTRIB_REVISION='r23228-cd17d8df2a' DISTRIB_TARGET='ipq806x/generic' DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4' DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a' DISTRIB_TAINTS='' And kernel is: root@OpenWrt:/# uname -a Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark. root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown. 302 root@OpenWrt:/# conntrack -U -p tcp -m 1 Operation failed: Not supported conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported I need to add option "-f ipv4", but not all entries can be updated successfully. "Protocol error" is reported. root@OpenWrt:/# conntrack -U -p tcp -f ipv4 -m 1 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47592 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47592 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46262 dport=80 packets=11 bytes=702 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46262 packets=11 bytes=18126 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46820 dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46820 packets=10 bytes=14369 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46888 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46888 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46304 dport=80 packets=13 bytes=882 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46304 packets=11 bytes=14421 [ASSURED] mark=1 use=2 tcp 6 47 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46638 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46638 packets=8 bytes=12817 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47416 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47416 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48636 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48636 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47124 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47124 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46400 dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46400 packets=12 bytes=17369 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45832 dport=80 packets=11 bytes=754 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45832 packets=12 bytes=21713 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47132 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47132 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46816 dport=80 packets=10 bytes=642 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46816 packets=11 bytes=17487 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47764 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47764 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47418 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47418 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48214 dport=80 packets=10 bytes=662 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48214 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46834 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46834 packets=8 bytes=11369 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48376 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48376 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47514 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47514 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46348 dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46348 packets=11 bytes=13782 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47422 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47422 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47264 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47264 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48428 dport=80 packets=12 bytes=806 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48428 packets=10 bytes=18713 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48692 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48692 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48666 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48666 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48218 dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48218 packets=9 bytes=17213 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46210 dport=80 packets=11 bytes=726 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46210 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 47 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46292 dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46292 packets=12 bytes=18178 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48074 dport=80 packets=12 bytes=814 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48074 packets=11 bytes=18126 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46798 dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46798 packets=10 bytes=20970 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46294 dport=80 packets=11 bytes=658 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46294 packets=13 bytes=14525 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46034 dport=80 packets=13 bytes=910 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46034 packets=13 bytes=20317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48330 dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48330 packets=10 bytes=17435 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46228 dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46228 packets=10 bytes=15178 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48210 dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48210 packets=8 bytes=12987 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45862 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45862 packets=10 bytes=15817 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45872 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45872 packets=12 bytes=18817 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47248 dport=80 packets=11 bytes=706 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47248 packets=10 bytes=17265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48614 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48614 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48702 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48702 packets=2 bytes=112 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48622 dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48622 packets=10 bytes=18713 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46846 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46846 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46376 dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46376 packets=12 bytes=17369 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47154 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47154 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47846 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47846 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46952 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46952 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47336 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47336 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46900 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46900 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46964 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46964 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47852 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47852 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48552 dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48552 packets=8 bytes=13626 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48142 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48142 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46604 dport=80 packets=10 bytes=674 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46604 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46182 dport=80 packets=9 bytes=554 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46182 packets=8 bytes=11369 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46620 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46620 packets=10 bytes=17265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48086 dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48086 packets=10 bytes=22418 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48684 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48684 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48564 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48564 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46722 dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46722 packets=12 bytes=21074 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47290 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47290 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47098 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47098 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46042 dport=80 packets=12 bytes=786 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46042 packets=14 bytes=22626 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46336 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46336 packets=10 bytes=12921 [ASSURED] mark=1 use=2 tcp 6 46 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47332 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47332 packets=7 bytes=11317 [ASSURED] mark=1 use=2 Operation failed: Protocol error conntrack v1.4.7 (conntrack-tools): Operation failed: Protocol error root@OpenWrt:/# conntrack -L -p tcp |grep mark=1 |wc -l conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown. 191 This issue can NOT be reproduced in another openwrt version. Both the kernel and conntrack version (v1.4.7 vs v1.4.6) are differnet. root@OpenWrt:/# cat /etc/openwrt_release DISTRIB_ID='OpenWrt' DISTRIB_RELEASE='22.03.5' DISTRIB_REVISION='r20134-5f15225c1e' DISTRIB_TARGET='ipq806x/generic' DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4' DISTRIB_DESCRIPTION='OpenWrt 22.03.5 r20134-5f15225c1e' DISTRIB_TAINTS=''. And kernel version is: root@OpenWrt:/# uname -a Linux OpenWrt 5.10.176 #0 SMP Thu Apr 27 20:28:15 2023 armv7l GNU/Linux I can use command "conntrack -U -p tcp -m 1" without option "-f ipv4" to update all entries successfully. Anything change in kernel or user space conntrack tool to cause this different behavior? Thanks! root@OpenWrt:/# conntrack -U -p tcp -m 1 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48476 dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48476 packets=8 bytes=15074 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46914 dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46914 packets=9 bytes=12869 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49240 dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=49240 packets=8 bytes=13626 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49398 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=49398 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49152 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=49152 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=49402 dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=49402 packets=10 bytes=15817 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48646 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48646 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48990 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48990 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 91 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=48834 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=48834 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=47706 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=47706 packets=9 bytes=14317 [ASSURED] mark=1 use=2 ....................... ....................... conntrack v1.4.6 (conntrack-tools): 319 flow entries have been updated. Tony ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-21 7:44 ` Fwd: question about using conntrack to change the mark Tony He @ 2023-08-21 10:29 ` Pablo Neira Ayuso 2023-08-21 11:26 ` Tony He 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira Ayuso @ 2023-08-21 10:29 UTC (permalink / raw) To: Tony He; +Cc: netfilter On Mon, Aug 21, 2023 at 03:44:54PM +0800, Tony He wrote: > Hi, > > I am using Openwrt. The version is: > root@OpenWrt:/# cat /etc/openwrt_release > DISTRIB_ID='OpenWrt' > DISTRIB_RELEASE='23.05.0-rc2' > DISTRIB_REVISION='r23228-cd17d8df2a' > DISTRIB_TARGET='ipq806x/generic' > DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4' > DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a' > DISTRIB_TAINTS='' > > And kernel is: > root@OpenWrt:/# uname -a > Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux > > > Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark. > root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l > conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown. > 302 > root@OpenWrt:/# conntrack -U -p tcp -m 1 > Operation failed: Not supported > conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported Please, try this patch: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > I need to add option "-f ipv4", but not all entries can be updated > successfully. "Protocol error" is reported. EPROTO means netlink sequence numbers are not fine, which might refer to another userspace bug. I made another patch, error handling was not robust in the -U case (no exit_error was used, instead printf). Also try this patch on of the previous patch. https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ Thanks for reporting. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-21 10:29 ` Pablo Neira Ayuso @ 2023-08-21 11:26 ` Tony He 2023-08-21 12:02 ` Pablo Neira Ayuso 0 siblings, 1 reply; 9+ messages in thread From: Tony He @ 2023-08-21 11:26 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter Hi Pablo, Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道: > > On Mon, Aug 21, 2023 at 03:44:54PM +0800, Tony He wrote: > > Hi, > > > > I am using Openwrt. The version is: > > root@OpenWrt:/# cat /etc/openwrt_release > > DISTRIB_ID='OpenWrt' > > DISTRIB_RELEASE='23.05.0-rc2' > > DISTRIB_REVISION='r23228-cd17d8df2a' > > DISTRIB_TARGET='ipq806x/generic' > > DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4' > > DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a' > > DISTRIB_TAINTS='' > > > > And kernel is: > > root@OpenWrt:/# uname -a > > Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux > > > > > > Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark. > > root@OpenWrt:/# conntrack -L -p tcp |grep mark=0 |wc -l > > conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown. > > 302 > > root@OpenWrt:/# conntrack -U -p tcp -m 1 > > Operation failed: Not supported > > conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported > > Please, try this patch: > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ This patch works when the conntrack sessions are not many. When there are about 300 sessions, another error "No buffer space available" is reported. Works when sessions are not many: root@OpenWrt:~# ./conntrack -L -p tcp |wc -l conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown. 204 root@OpenWrt:~# ./conntrack -U -p tcp -m 1 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58130 dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58130 packets=12 bytes=19626 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58858 dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58858 packets=9 bytes=15765 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59750 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59750 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59644 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59644 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58312 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58312 packets=12 bytes=23161 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57910 dport=80 packets=11 bytes=754 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57910 packets=13 bytes=22574 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58276 dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58276 packets=12 bytes=19626 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59336 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59336 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59238 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59238 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59514 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59514 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59104 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59104 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58170 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58170 packets=12 bytes=19626 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58502 dport=80 packets=9 bytes=554 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58502 packets=8 bytes=11369 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59744 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59744 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58556 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58556 packets=12 bytes=18817 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59464 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59464 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59232 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59232 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58806 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58806 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59716 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59716 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59550 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59550 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59240 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59240 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57942 dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57942 packets=11 bytes=16678 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58292 dport=80 packets=10 bytes=642 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58292 packets=10 bytes=15817 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59190 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59190 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57876 dport=80 packets=10 bytes=618 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57876 packets=11 bytes=15230 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59540 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59540 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58626 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58626 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59016 dport=80 packets=8 bytes=514 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59016 packets=7 bytes=12126 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59630 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59630 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58584 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58584 packets=11 bytes=17317 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58458 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58458 packets=11 bytes=17317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59604 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59604 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59252 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59252 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59598 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59598 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58810 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58810 packets=3 bytes=172 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58196 dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58196 packets=11 bytes=17317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57922 dport=80 packets=13 bytes=870 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57922 packets=12 bytes=16730 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58844 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58844 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57944 dport=80 packets=12 bytes=798 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57944 packets=13 bytes=19039 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59192 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59192 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58236 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58236 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59350 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59350 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58450 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58450 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58992 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58992 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59570 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59570 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57916 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57916 packets=15 bytes=28470 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58716 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58716 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 110 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58652 dport=80 packets=13 bytes=874 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58652 packets=11 bytes=15869 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59266 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59266 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57852 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57852 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59280 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59280 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58476 dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58476 packets=9 bytes=12869 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59296 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59296 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58028 dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58028 packets=12 bytes=15921 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59396 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59396 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58404 dport=80 packets=10 bytes=674 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58404 packets=14 bytes=21817 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59704 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59704 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58316 dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58316 packets=13 bytes=21126 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58432 dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58432 packets=10 bytes=15817 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59410 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59410 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58188 dport=80 packets=11 bytes=726 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58188 packets=13 bytes=15973 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58392 dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58392 packets=11 bytes=18126 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59114 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59114 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58890 dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58890 packets=11 bytes=18126 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58548 dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58548 packets=9 bytes=12869 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59068 dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59068 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58358 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=58358 packets=11 bytes=21661 [ASSURED] mark=1 use=2 tcp 6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59020 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=59020 packets=7 bytes=11317 [ASSURED] mark=1 use=2 conntrack v1.4.7 (conntrack-tools): 203 flow entries have been updated. Many conntions: root@OpenWrt:~# ./conntrack -L -p tcp |wc -l conntrack v1.4.7 (conntrack-tools): 313 flow entries have been shown. 313 root@OpenWrt:~# ./conntrack -U -p tcp -m 1 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44998 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44998 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45460 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45460 packets=8 bytes=11369 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46376 dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46376 packets=8 bytes=15713 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44002 dport=80 packets=11 bytes=694 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44002 packets=12 bytes=18178 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44250 dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44250 packets=11 bytes=20213 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44056 dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44056 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44642 dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44642 packets=11 bytes=19574 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45632 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45632 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43932 dport=80 packets=11 bytes=714 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43932 packets=16 bytes=24178 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45228 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45228 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44246 dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44246 packets=13 bytes=21765 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45010 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45010 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46366 dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46366 packets=10 bytes=19522 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44192 dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44192 packets=12 bytes=19626 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44964 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44964 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45686 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45686 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46008 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46008 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45666 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45666 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46262 dport=80 packets=12 bytes=834 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46262 packets=12 bytes=21074 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45560 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45560 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44124 dport=80 packets=12 bytes=818 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44124 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44816 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44816 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45022 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45022 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43922 dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43922 packets=12 bytes=21074 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44154 dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44154 packets=9 bytes=12869 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46130 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46130 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44908 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44908 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43858 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43858 packets=11 bytes=20213 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45680 dport=80 packets=11 bytes=706 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45680 packets=10 bytes=17265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45078 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45078 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44360 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44360 packets=10 bytes=14369 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46050 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46050 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45752 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45752 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44164 dport=80 packets=13 bytes=930 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44164 packets=15 bytes=23317 [ASSURED] mark=1 use=2 tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43914 dport=80 packets=12 bytes=830 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43914 packets=13 bytes=18869 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46330 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46330 packets=8 bytes=11369 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45120 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45120 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44584 dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44584 packets=10 bytes=15178 [ASSURED] mark=1 use=2 tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44476 dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44476 packets=11 bytes=15869 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45546 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45546 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46278 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46278 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43790 dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43790 packets=14 bytes=22626 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44984 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44984 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44968 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44968 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44560 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44560 packets=2 bytes=112 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43758 dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43758 packets=15 bytes=27022 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44798 dport=80 packets=12 bytes=806 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44798 packets=10 bytes=18713 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46422 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46422 packets=2 bytes=112 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46206 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46206 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44432 dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44432 packets=10 bytes=15817 [ASSURED] mark=1 use=2 tcp 6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43948 dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43948 packets=10 bytes=14539 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44906 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44906 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44274 dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44274 packets=9 bytes=14317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45172 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45172 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46194 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46194 packets=3 bytes=172 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45454 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45454 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44614 dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44614 packets=3 bytes=172 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43906 dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43906 packets=11 bytes=18765 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44680 dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44680 packets=10 bytes=18074 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45690 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45690 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44726 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44726 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45094 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45094 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43844 dport=80 packets=8 bytes=526 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43844 packets=8 bytes=14265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46344 dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=46344 packets=8 bytes=12817 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45712 dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45712 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44682 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44682 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43918 dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43918 packets=13 bytes=21765 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44048 dport=80 packets=10 bytes=682 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44048 packets=12 bytes=19626 [ASSURED] mark=1 use=2 tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2 conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available > > > I need to add option "-f ipv4", but not all entries can be updated > > successfully. "Protocol error" is reported. > > EPROTO means netlink sequence numbers are not fine, which might refer > to another userspace bug. > > I made another patch, error handling was not robust in the -U case (no > exit_error was used, instead printf). > > Also try this patch on of the previous patch. > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ I will test this patch after above issue is fixed. > > Thanks for reporting. Tony ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-21 11:26 ` Tony He @ 2023-08-21 12:02 ` Pablo Neira Ayuso 2023-08-22 2:11 ` Tony He 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira Ayuso @ 2023-08-21 12:02 UTC (permalink / raw) To: Tony He; +Cc: netfilter On Mon, Aug 21, 2023 at 07:26:54PM +0800, Tony He wrote: > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道: [...] > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > > This patch works when the conntrack sessions are not many. When there are about > 300 sessions, another error "No buffer space available" is reported. > > Works when sessions are not many: > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown. > 204 > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 [...] > tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714 > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available Another patch to fix this issue, thanks for reporting: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-21 12:02 ` Pablo Neira Ayuso @ 2023-08-22 2:11 ` Tony He 2023-08-22 8:51 ` Pablo Neira Ayuso 0 siblings, 1 reply; 9+ messages in thread From: Tony He @ 2023-08-22 2:11 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter Hi Pablo, Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 20:02写道: > > On Mon, Aug 21, 2023 at 07:26:54PM +0800, Tony He wrote: > > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月21日周一 18:29写道: > [...] > > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > > > > This patch works when the conntrack sessions are not many. When there are about > > 300 sessions, another error "No buffer space available" is reported. > > > > Works when sessions are not many: > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > > conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown. > > 204 > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 > [...] > > tcp 6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714 > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > > dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available > > Another patch to fix this issue, thanks for reporting: > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ I confirm this issue have been fixed. I even tried about 1000 flow entries. root@OpenWrt:~# ./conntrack -L -p tcp |wc -l conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown. 1024 root@OpenWrt:~# ./conntrack -U -p tcp -m 1 tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83 sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED] mark=1 use=2 tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2 tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730 dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2 ...... conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated. After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems that we don't need patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ We only need https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ and https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ Does it make sense at source code level? root@OpenWrt:~# ./conntrack -L -p tcp |wc -l conntrack v1.4.7 (conntrack-tools): 1027 flow entries have been shown. 1027 root@OpenWrt:~# ./conntrack -U -p tcp -f ipv4 -m 1 tcp 6 64 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43410 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=43410 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 68 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44160 dport=80 packets=5 bytes=268 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=44160 packets=3 bytes=172 [ASSURED] mark=1 use=2 tcp 6 63 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=39350 dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=39350 packets=6 bytes=11265 [ASSURED] mark=1 use=2 tcp 6 64 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45470 dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80 dport=45470 packets=9 bytes=13678 [ASSURED] mark=1 use=2 ...... ...... conntrack v1.4.7 (conntrack-tools): 1026 flow entries have been updated. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-22 2:11 ` Tony He @ 2023-08-22 8:51 ` Pablo Neira Ayuso 2023-08-22 9:46 ` Tony He 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira Ayuso @ 2023-08-22 8:51 UTC (permalink / raw) To: Tony He; +Cc: netfilter On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote: [...] > I confirm this issue have been fixed. I even tried about 1000 flow entries. > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown. > 1024 > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83 > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83 > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED] > mark=1 use=2 > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656 > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000 > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2 > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730 > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > ...... > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated. > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems > that we don't need patch > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ This is also required because conntrack -U/-D dumps the table from the kernel, then it iterates over the list of entries. If the entry expires, -U/-D will hit ENOENT, which should be ignored. This is another regressions from 1.4.6. > We only need > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > and > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ Applied, thanks for reporting. I have also pushed out this test: f088ba22246b ("tests/conntrack: add initial stress test for conntrack") which covers these two bugs. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-22 8:51 ` Pablo Neira Ayuso @ 2023-08-22 9:46 ` Tony He 2023-08-22 10:00 ` Pablo Neira Ayuso 0 siblings, 1 reply; 9+ messages in thread From: Tony He @ 2023-08-22 9:46 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道: > > On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote: > [...] > > I confirm this issue have been fixed. I even tried about 1000 flow entries. > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown. > > 1024 > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 > > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83 > > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83 > > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED] > > mark=1 use=2 > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656 > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000 > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2 > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730 > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > ...... > > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated. > > > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems > > that we don't need patch > > > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ > > This is also required because conntrack -U/-D dumps the table from the > kernel, then it iterates over the list of entries. If the entry > expires, -U/-D will hit ENOENT, which should be ignored. This is > another regressions from 1.4.6. Sorry, I still don't quite understand. I mean if we don't add [1] and [2] , I can reproduce "Protocol error". However, after adding above [1] and [2], I can not reproduce "Protocol error" even though [3] is not added. Is [3] used to fix "Protocol error"? If yes, why it can not be reproduced by me? My test env is not changed. [1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ [2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ [3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ > > > We only need > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > > and > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ > > Applied, thanks for reporting. > > I have also pushed out this test: > > f088ba22246b ("tests/conntrack: add initial stress test for conntrack") > > which covers these two bugs. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-22 9:46 ` Tony He @ 2023-08-22 10:00 ` Pablo Neira Ayuso 2023-08-22 10:09 ` Tony He 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira Ayuso @ 2023-08-22 10:00 UTC (permalink / raw) To: Tony He; +Cc: netfilter On Tue, Aug 22, 2023 at 05:46:06PM +0800, Tony He wrote: > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道: > > > > On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote: > > [...] > > > I confirm this issue have been fixed. I even tried about 1000 flow entries. > > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > > > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown. > > > 1024 > > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 > > > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83 > > > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83 > > > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED] > > > mark=1 use=2 > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656 > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000 > > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2 > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730 > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > > ...... > > > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated. > > > > > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems > > > that we don't need patch > > > > > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ > > > > This is also required because conntrack -U/-D dumps the table from the > > kernel, then it iterates over the list of entries. If the entry > > expires, -U/-D will hit ENOENT, which should be ignored. This is > > another regressions from 1.4.6. > > Sorry, I still don't quite understand. I mean if we don't add [1] and > [2] , I can reproduce "Protocol error". > However, after adding above [1] and [2], I can not reproduce "Protocol > error" even though [3] is not added. > Is [3] used to fix "Protocol error"? If yes, why it can not be > reproduced by me? My test env is not changed. > > [1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > [2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ > [3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ [1] and [2] are sufficient to fix the problems that you reported. [3] is a different issue that you did not report that I found while reviewing this code. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Fwd: question about using conntrack to change the mark 2023-08-22 10:00 ` Pablo Neira Ayuso @ 2023-08-22 10:09 ` Tony He 0 siblings, 0 replies; 9+ messages in thread From: Tony He @ 2023-08-22 10:09 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter OK, thanks for clarifying. Below mail causes the misunderstanding. > > I need to add option "-f ipv4", but not all entries can be updated > > successfully. "Protocol error" is reported. > > EPROTO means netlink sequence numbers are not fine, which might refer > to another userspace bug. > > I made another patch, error handling was not robust in the -U case (no > exit_error was used, instead printf). > > Also try this patch on of the previous patch. > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 18:00写道: > > On Tue, Aug 22, 2023 at 05:46:06PM +0800, Tony He wrote: > > Pablo Neira Ayuso <pablo@netfilter.org> 于2023年8月22日周二 16:51写道: > > > > > > On Tue, Aug 22, 2023 at 10:11:00AM +0800, Tony He wrote: > > > [...] > > > > I confirm this issue have been fixed. I even tried about 1000 flow entries. > > > > root@OpenWrt:~# ./conntrack -L -p tcp |wc -l > > > > conntrack v1.4.7 (conntrack-tools): 1024 flow entries have been shown. > > > > 1024 > > > > root@OpenWrt:~# ./conntrack -U -p tcp -m 1 > > > > tcp 6 7423 ESTABLISHED src=192.168.1.30 dst=10.40.9.83 > > > > sport=53786 dport=80 packets=2 bytes=112 src=10.40.9.83 > > > > dst=10.40.9.165 sport=80 dport=53786 packets=1 bytes=60 [ASSURED] > > > > mark=1 use=2 > > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57656 > > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > > dport=57656 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57000 > > > > dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > > dport=57000 packets=7 bytes=11317 [ASSURED] mark=1 use=2 > > > > tcp 6 103 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=55730 > > > > dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80 > > > > dport=55730 packets=6 bytes=11265 [ASSURED] mark=1 use=2 > > > > ...... > > > > conntrack v1.4.7 (conntrack-tools): 1023 flow entries have been updated. > > > > > > > > After above issue is fixed, I can not reproduce "-f ipv4" issue. Seems > > > > that we don't need patch > > > > > > > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ > > > > > > This is also required because conntrack -U/-D dumps the table from the > > > kernel, then it iterates over the list of entries. If the entry > > > expires, -U/-D will hit ENOENT, which should be ignored. This is > > > another regressions from 1.4.6. > > > > Sorry, I still don't quite understand. I mean if we don't add [1] and > > [2] , I can reproduce "Protocol error". > > However, after adding above [1] and [2], I can not reproduce "Protocol > > error" even though [3] is not added. > > Is [3] used to fix "Protocol error"? If yes, why it can not be > > reproduced by me? My test env is not changed. > > > > [1] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@netfilter.org/ > > [2] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821120105.29538-1-pablo@netfilter.org/ > > [3] https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@netfilter.org/ > > [1] and [2] are sufficient to fix the problems that you reported. > > [3] is a different issue that you did not report that I found while > reviewing this code. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-08-22 10:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAAUX2SVTLxtpzsMnKWCpjRZwAKn391rm5T=y=oHPQ_T1w2UpBA@mail.gmail.com>
2023-08-21 7:44 ` Fwd: question about using conntrack to change the mark Tony He
2023-08-21 10:29 ` Pablo Neira Ayuso
2023-08-21 11:26 ` Tony He
2023-08-21 12:02 ` Pablo Neira Ayuso
2023-08-22 2:11 ` Tony He
2023-08-22 8:51 ` Pablo Neira Ayuso
2023-08-22 9:46 ` Tony He
2023-08-22 10:00 ` Pablo Neira Ayuso
2023-08-22 10:09 ` Tony He
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.