From: Daniel Pittman <daniel@rimspace.net>
To: dmeyer@dmeyer.net
Cc: linux-kernel@vger.kernel.org
Subject: Re: What does "NAT: dropping untracked packet" mean?
Date: 02 Feb 2001 10:45:00 +1100 [thread overview]
Message-ID: <87puh26k8z.fsf@inanna.rimspace.net> (raw)
In-Reply-To: <20010201133811.D14768@ipe.uni-stuttgart.de> <20010201181952.A5803@jhereg.dmeyer.net>
In-Reply-To: <20010201181952.A5803@jhereg.dmeyer.net> (dmeyer@dmeyer.net's message of "Thu, 1 Feb 2001 18:19:52 -0500")
dmeyer <dmeyer@dmeyer.net> writes:
>
> In article <20010201151717.D5706@emma1.emma.line.org> you write:
>> On Thu, 01 Feb 2001, Nils Rennebarth wrote:
>> > Feb 1 12:58:56 obelix kernel: NAT: 0 dropping untracked packet
>> ce767600 1 129.69.22.21 -> 224.0.0.2
>>
>> It means that your box drops multicast administrative packets on the
>> floor.
>
> I'm getting the occasional
>
> Feb 1 13:17:08 yendi kernel: NAT: 0 dropping untracked packet c3ea4da0
> 1 146.188.249.73 -> 209.220.232.240
>
> syslog message. What exactly does it mean? 146.188.249.73 isn't my
> machine at all, and 209.220.232.240 is my firewall. I assume I'm
> dropping someone's packets on the floor, but what can cause a packet
> to get dropped like that?
The one big thing I know of that causes these messages is a
long-standing bug in the FreeBSD and OpenBSD (and presumably NetBSD, I
don't know about that one, though) network stacks.
When sending an ICMP host unreachable response to a DF packet, some of
the packet was byte-swapped.
The bytes were *only* in the segment of the original IP packet appended
to the ICMP message for identification purposes.
Under normal conditions this packet works fine with Linux. The
connection is killed, all is fine.
When running netfilter and connection tracking, netfilter uses these
byte-swapped fields to associate the ICMP message with the original TCP
or UDP packets.
Because the fields are out-of-order, this match fails. netfilter then
drops the packet on the floor and generates the 'untracked packet'
message.
FreeBSD have fixes their network stack not that long ago. I believe that
their 5.0 release corrects the bug, but I am not sure of that. Check
with them if you really care.
I don't believe that OpenBSD have corrected this problem at this stage
but, again, I have not checked recently. Check with them if you really
care.
This bug is *only* triggered when the packet has DF set. Normal packets
don't trigger that particular buggy code path.
Daniel
--
The truth knocks on the door and you say, 'Go away, I'm looking for
the truth,' and so it goes away. Puzzling...
-- Robert Pirsig
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2001-02-01 23:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-02-01 12:38 What does "NAT: dropping untracked packet" mean? Nils Rennebarth
2001-02-01 14:17 ` Matthias Andree
2001-02-01 23:19 ` dmeyer
2001-02-01 23:45 ` Daniel Pittman [this message]
2001-02-01 23:46 ` Magnus Erixzon
2001-02-01 15:09 ` James Stevenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87puh26k8z.fsf@inanna.rimspace.net \
--to=daniel@rimspace.net \
--cc=dmeyer@dmeyer.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox