Packet marked wrongly as INVALID?

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Packet marked wrongly as INVALID?
@ 2010-07-01  9:12 Marco Innocenti
  2010-07-02  7:55 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Marco Innocenti @ 2010-07-01  9:12 UTC (permalink / raw)
  To: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 2722 bytes --]

Hi,
     on a couple of production server I get routinely some packet which 
should be marked as NEW are marked as INVALID and I'm unable to 
understand why or to reproduce the problem in a testing environment.
I use distribution kernel (SUSE 2.6.16.60-0.58.1-smp and Debian 
2.6.26-2-amd64) on intel (64 bit) but I could try a recent kernel if 
need arise.


Jul  1 09:14:44 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47760 DF PROTO=TCP 
SPT=53816 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  1 09:16:18 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13606 DF PROTO=TCP 
SPT=54446 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  1 09:16:34 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15917 DF PROTO=TCP 
SPT=54694 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  1 09:16:55 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22772 DF PROTO=TCP 
SPT=54863 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0



miur10:/ # iptables -L -n -v | head -n 4
Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   33M   21G ACCEPT     all  --  bond1  *       0.0.0.0/0 
0.0.0.0/0
  245K   11M LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID LOG flags 0 level 4 prefix 
`INPUT-INVALID'




In the attached file INVALID packets are only logged (no DROP). If I 
DROP the packet they are retrasmitted and marked again as INVALID:

Jul  1 11:03:12 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5926 DF PROTO=TCP 
SPT=53260 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  1 11:03:15 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5927 DF PROTO=TCP 
SPT=53260 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0






-- 
**********************************************************************
Marco Innocenti              Dipartimento Sistemi E Tecnologie
CINECA                       phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3           e-mail: innocenti@cineca.it
40033 Casalecchio di Reno    Bologna (Italia)
**********************************************************************

[-- Attachment #2: tcpdump.pcap.bz2 --]
[-- Type: application/x-bzip, Size: 27649 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Packet marked wrongly as INVALID?
  2010-07-01  9:12 Packet marked wrongly as INVALID? Marco Innocenti
@ 2010-07-02  7:55 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2010-07-02  7:55 UTC (permalink / raw)
  To: Marco Innocenti; +Cc: netfilter-devel

Marco Innocenti wrote:
> Hi,
>     on a couple of production server I get routinely some packet which 
> should be marked as NEW are marked as INVALID and I'm unable to 
> understand why or to reproduce the problem in a testing environment.
> I use distribution kernel (SUSE 2.6.16.60-0.58.1-smp and Debian 
> 2.6.26-2-amd64) on intel (64 bit) but I could try a recent kernel if 
> need arise.
>
>
> Jul  1 09:14:44 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47760 DF PROTO=TCP 
> SPT=53816 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:18 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13606 DF PROTO=TCP 
> SPT=54446 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:34 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15917 DF PROTO=TCP 
> SPT=54694 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Jul  1 09:16:55 miur10 kernel: INPUT-INVALIDIN=bond0 OUT= 
> MAC=00:22:19:bb:85:7b:00:0b:fc:fe:1b:01:08:00 SRC=130.186.5.204 
> DST=10.253.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22772 DF PROTO=TCP 
> SPT=54863 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>
>

"echo 6 > /proc/sys/net/netfilter/nf_conntrack_log_invalid" will make
conntrack log the reason for marking the packets as INVALID.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-07-02  7:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-01  9:12 Packet marked wrongly as INVALID? Marco Innocenti
2010-07-02  7:55 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).