Re: conntrack can't update mark on icmp connection

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: conntrack can't update mark on icmp connection
@ 2012-03-20 15:35 abirvalg
  0 siblings, 0 replies; 3+ messages in thread
From: abirvalg @ 2012-03-20 15:35 UTC (permalink / raw)
  To: netfilter-devel

Sorry to bump this thread. I just think it warrants attention.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* conntrack can't update mark on icmp connection
@ 2012-02-13 22:16 abirvalg
  2012-03-23  1:11 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: abirvalg @ 2012-02-13 22:16 UTC (permalink / raw)
  To: netfilter-devel

Hello,
As root I try to set marks on all packets originating from my machine with

conntrack -U -s 192.168.1.114 --mark 10

It does set marks on some udp connections but ignores the icmp one.
Upon the issue of this command it lists all updated udp connections with mark=10 and \
                eventually gives
...
conntrack v0.9.14 (conntrack-tools): Operation failed: invalid parameters

After that conntrack -L shows that all udp connections that preceed in the list the icmp one \
where updated, but the icmp connection and all udp connections following it in the \
list were not updated. Seems like conntrack choked on icmp.

Could you please help me.
uname -a
Linux 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 \
GNU/Linux

P.S.
Please CC me when replying.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: conntrack can't update mark on icmp connection
  2012-02-13 22:16 abirvalg
@ 2012-03-23  1:11 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-23  1:11 UTC (permalink / raw)
  To: abirvalg; +Cc: netfilter-devel

On Tue, Feb 14, 2012 at 12:16:44AM +0200, abirvalg@lavabit.com wrote:
> Hello,
> As root I try to set marks on all packets originating from my machine with
> 
> conntrack -U -s 192.168.1.114 --mark 10
> 
> It does set marks on some udp connections but ignores the icmp one.
> Upon the issue of this command it lists all updated udp connections with mark=10 and \
>                 eventually gives
> ...
> conntrack v0.9.14 (conntrack-tools): Operation failed: invalid parameters
> 
> After that conntrack -L shows that all udp connections that preceed in the list the icmp one \
> where updated, but the icmp connection and all udp connections following it in the \
> list were not updated. Seems like conntrack choked on icmp.
> 
> Could you please help me.
> uname -a
> Linux 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 \
> GNU/Linux

The problem seems to be in libnetfilter_conntrack.

I have pushed the following patch, it seems to resolve the issue here
for me.

commit 3a39278a56d12ad13a41973cd0b50238206f11ef
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Mar 23 02:07:41 2012 +0100

    conntrack: fix wrong building of ICMP reply tuple

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-03-23  1:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-20 15:35 conntrack can't update mark on icmp connection abirvalg
  -- strict thread matches above, loose matches on Subject: below --
2012-02-13 22:16 abirvalg
2012-03-23  1:11 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).