* Should conntrack track *everything* into some "connection"?
@ 2011-05-11 9:24 Ed W
0 siblings, 0 replies; only message in thread
From: Ed W @ 2011-05-11 9:24 UTC (permalink / raw)
To: netfilter-devel
Apologies that this is a repost of a question on the users list. I just
wanted to rephrase the question in terms of "what *should* happen" so
that I can understand the limitations of conntrack
Q: Should conntrack track *every* IP packet in/out of a machine?
Q: Are there any known limitations to accounting at the moment?
eg corrupted packets, icmp unsolicited responses, tcp resends, etc?
If the answer is that conntrack *should* track all packets then I
have found an example that it is not tracking the ICMP Unreachable
response which occurs when a remote UDP packet is returned to a
local socket which has since been closed.
To clarify the situation, I have been experimenting with logging conntrack
flows using ulogd2. However, the numbers aren't stacking up against a
simple iptables accounting rule...
An example seems to be to cause a name lookup via dnsmasq. For whatever
reason this does two simultaneous dns requests to both configured dns
servers. One reply comes back slightly quicker than the other and the
slower reply appears to cause a local ICMP unreachable response to be
generated (I think dnsmasq closes it's listening socket once it gets an
answer). Everything is logged *except* the data for the ICMP unreachable
response?
So tcpdump gives me (note sizes are payload, add 28 to compare with conntrack):
22:23:40.151666 IP 10.141.36.76.25630 > 8.8.4.4.53: 11049+ AAAA? www.yahoo.co.uk. (33)
22:23:40.151993 IP 10.141.36.76.25630 > 8.8.8.8.53: 11049+ AAAA? www.yahoo.co.uk. (33)
22:23:40.850776 IP 8.8.4.4.53 > 10.141.36.76.25630: 11049 3/1/0 CNAME rc.yahoo.com., CNAME rc.g01.yahoodns.net., CNAME any-rc.a01.yahoodns.net. (178)
22:23:41.014108 IP 8.8.8.8.53 > 10.141.36.76.25630: 11049 3/1/0 CNAME rc.yahoo.com., CNAME rc.g01.yahoodns.net., CNAME any-rc.a01.yahoodns.net. (178)
22:23:41.014217 IP 10.141.36.76 > 8.8.8.8: ICMP 10.141.36.76 udp port 25630 unreachable, length 214
22:23:41.401743 IP 10.141.36.76.10248 > 8.8.4.4.53: 25285+ A? www.yahoo.co.uk. (33)
22:23:41.764124 IP 8.8.4.4.53 > 10.141.36.76.10248: 25285 4/0/0 CNAME rc.yahoo.com., CNAME rc.g01.yahoodns.net., CNAME any-rc.a01.yahoodns.net., A 77.238.178.122 (133)
However, conntrack gives me:
May 9 22:24:10 localhost [DESTROY] ORIG: SRC=10.141.36.76 DST=8.8.4.4 PROTO=UDP SPT=25630 DPT=53 PKTS=1 BYTES=61 , REPLY: SRC=8.8.4.4 DST=10.141.36.76 PROTO=UDP SPT=53 DPT=25630 PKTS=1 BYTES=206
May 9 22:24:10 localhost [DESTROY] ORIG: SRC=10.141.36.76 DST=8.8.8.8 PROTO=UDP SPT=25630 DPT=53 PKTS=1 BYTES=61 , REPLY: SRC=8.8.8.8 DST=10.141.36.76 PROTO=UDP SPT=53 DPT=25630 PKTS=1 BYTES=206
May 9 22:24:11 localhost [DESTROY] ORIG: SRC=10.141.36.76 DST=8.8.4.4 PROTO=UDP SPT=10248 DPT=53 PKTS=1 BYTES=61 , REPLY: SRC=8.8.4.4 DST=10.141.36.76 PROTO=UDP SPT=53 DPT=10248 PKTS=1 BYTES=161
Basically it's missing any count for the packet with tcpdump
timestamp: 22:23:41.014217 - ie the port unreachable response?
This is confirmed by looking at the iptables counts
Is this a "bug" in conntrack or in ulogd?
Anyone know of any other reasons that conntrack accounting might not count some traffic? (corrupted packets? tcp resends?)
Thanks
Ed W
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2011-05-11 16:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-11 9:24 Should conntrack track *everything* into some "connection"? Ed W
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).