From: Oleg <lego12239@yandex.ru>
To: netfilter-devel@vger.kernel.org
Subject: nfqueue accepted packet is disappeared
Date: Thu, 8 Jun 2017 21:15:19 +0300 [thread overview]
Message-ID: <20170608181519.GA27147@legohost> (raw)
Hi all!
I have the test environment consists of 2 qemu VMs with next
network configuration:
VM2 eth0 --> [host br1] --> eth1 VM1 eth0 --> [host br0] --> Internet
I test nfqueue based filter running at VM1, which now simply accepts
all packets from eth1 immediately on callback entering:
static int
cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfad,
void *data)
{
struct nfqnl_msg_packet_hdr *ph;
unsigned int verdict = NF_ACCEPT;
int ret;
ph = nfq_get_msg_packet_hdr(nfad);
ret = nfq_set_verdict(qh, ntohl(ph->packet_id), verdict, 0, NULL);
if (ret < 0)
ERR_OUT("nfq_set_verdict() error");
return ret;
}
ping from VM2 works well, but next command is delayed for several seconds:
~# telnet google.com 80
tcpdump on br0 and br1 shows that telnet sends 2 dns requests (A & AAAA)
and we see it on br1:
20:58:20.289941 IP 192.168.78.2.58758 > 8.8.8.8.53: 32688+ A? google.com. (28)
20:58:20.289985 IP 192.168.78.2.58758 > 8.8.8.8.53: 37919+ AAAA? google.com. (28)
20:58:20.315317 IP 8.8.8.8.53 > 192.168.78.2.58758: 32688 6/0/0 A 173.194.222.102, A 173.194.222.100, A 173.194.222.101, A 173.194.222.138, A 173.194.222.113, A 173.194.222.139 (124)
but reply is only 1, because on br0 the second request is disappear:
20:58:20.290354 IP 192.168.77.32.58758 > 8.8.8.8.53: 32688+ A? google.com. (28)
20:58:20.314921 IP 8.8.8.8.53 > 192.168.77.32.58758: 32688 6/0/0 A 173.194.222.102, A 173.194.222.100, A 173.194.222.101, A 173.194.222.138, A 173.194.222.113, A 173.194.222.139 (124)
After 5 seconds telnet repeats 2 dns requests again and now it gets 2
replies. On br1:
20:58:25.294296 IP 192.168.78.2.58758 > 8.8.8.8.53: 32688+ A? google.com. (28)
20:58:25.299535 IP 8.8.8.8.53 > 192.168.78.2.58758: 32688 6/0/0 A 173.194.222.102, A 173.194.222.100, A 173.194.222.101, A 173.194.222.138, A 173.194.222.113, A 173.194.222.139 (124)
20:58:25.300172 IP 192.168.78.2.58758 > 8.8.8.8.53: 37919+ AAAA? google.com. (28)
20:58:25.322761 IP 8.8.8.8.53 > 192.168.78.2.58758: 37919 1/0/0 AAAA 2a00:1450:4010:c0b::8a (56)
On br0 we now see 2 requests as expected:
20:58:25.295072 IP 192.168.77.32.58758 > 8.8.8.8.53: 32688+ A? google.com. (28)
20:58:25.299056 IP 8.8.8.8.53 > 192.168.77.32.58758: 32688 6/0/0 A 173.194.222.102, A 173.194.222.100, A 173.194.222.101, A 173.194.222.138, A 173.194.222.113, A 173.194.222.139 (124)
20:58:25.301021 IP 192.168.77.32.58758 > 8.8.8.8.53: 37919+ AAAA? google.com. (28)
20:58:25.322186 IP 8.8.8.8.53 > 192.168.77.32.58758: 37919 1/0/0 AAAA 2a00:1450:4010:c0b::8a (56)
When i remove from iptables in VM1 nfqueue rule, telnet works well and
all packets are forwared.
So, my question is, what is happen with first AAAA request and how
i can fix this?
kernel: 4.4.6
iptables: 1.4.21
libnetfilter_queue: 1.0.2
Thanks!
--
Олег Неманов (Oleg Nemanov)
reply other threads:[~2017-06-08 18:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170608181519.GA27147@legohost \
--to=lego12239@yandex.ru \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).