From: Mathew Heard <mat999@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next PATCH] netfilter: nf_conntrack_proto_tcp: propagate IP_CT_TCP_FLAG_BE_LIBERAL
Date: Fri, 21 Oct 2016 21:15:18 +1100 [thread overview]
Message-ID: <CALFfGYY0PNHwhNsh_71_pGMX=LrpE9c4tcLZaCLS8SZsCRF-vQ@mail.gmail.com> (raw)
In-Reply-To: <20161021095645.GA17871@salvia>
On Fri, Oct 21, 2016 at 8:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Oct 21, 2016 at 06:26:28PM +1100, Mathew Heard wrote:
>> However under testing, in practice is not. As covered in the bug.
>>
>> Fields: CTA_IP_V4_DST, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL &
>> CTA_PROTOINFO_TCP_FLAGS_REPLY
>> Result: "**.**.56.135: 10 3"
>
> From where are you printing this? userspace or kernel?
>
CTA_* comes from libnetfilter_conntrack, which is userspace.
I have however also printk'ed flags in the kernel during testing and
seen the same (further confirmed by the crude fix working).
>> It's only being set on one side. I believe this is because the reply
>> side flags are being set/initialised after the fact (i.e where they
>> are initialised in that function for incoming connections would do it
>> too).
>
> Please develop this a bit more.
>
> Is there anything we should know on your infrastructure? eg. kernel
> and library version, what architecture you using?
>
> Asking this because I found an old report on problems on ARM that the
> submitter never confirmed to be fixed.
>
> Thanks.
AMD64 in both native (staging) and virtual (dev) environments.
Originally we found this issue with incoming connections, however due
to it being simpler to test I moved to testing outgoing.
I hope this ASCII diagram survives the mail system. Test System:
[NAT Router A] -----
| \_____
Conntrackd ______ Target Box
| /
[NAT Router B] ------
Target box connected via GRE (internal network range 10.x.x.x). Router
A and B both with standard DNAT & SNAT rules to provide connectivity &
port forwards. To test, I just change the route of an outgoing
connection from Target Box on Target Box mid connection (i.e via using
"ip rule")
With TCP window tracking disabled using sysctl's, or with the crude
patch this all works as expected.
Without the patch, due to the tcp flags of the reply side not
containing the correct flags, it does not.
Inbound testing was tested similarly, but by moving BGP announcements
between routers.
I have also replicated the same results in our staging environment but
thats substantially more complex.
Regards,
Mathew
prev parent reply other threads:[~2016-10-21 10:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-20 9:00 [RFC nf-next PATCH] netfilter: nf_conntrack_proto_tcp: propagate IP_CT_TCP_FLAG_BE_LIBERAL Arturo Borrero Gonzalez
2016-10-20 18:14 ` Pablo Neira Ayuso
2016-10-21 7:15 ` Arturo Borrero Gonzalez
[not found] ` <CALFfGYaW3vaMmJ==gXqUATsmu5BWwZx8Aee8G8KknmVTySWrng@mail.gmail.com>
2016-10-21 7:22 ` Arturo Borrero Gonzalez
2016-10-21 7:26 ` Mathew Heard
2016-10-21 9:56 ` Pablo Neira Ayuso
2016-10-21 10:15 ` Mathew Heard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALFfGYY0PNHwhNsh_71_pGMX=LrpE9c4tcLZaCLS8SZsCRF-vQ@mail.gmail.com' \
--to=mat999@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).