From: "André Paulsberg-Csibi (IBM Consultant)" <Andre.Paulsberg-Csibi@evry.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: No sign of INVALID packet , LOGS DROP but not reason
Date: Sun, 29 May 2016 10:42:47 +0000 [thread overview]
Message-ID: <1464518566817.52562@evry.com> (raw)
Hi ,
I have come across something that I am starting to think is a bug ,
but before I start upgrading and other works lets see if I missed something !
I have log entries like these
May 28 10:47:13 zotac kernel: INVALID-STATE IN=vlan0 OUT= MAC=# SRC=189.222.120.167 DST=# LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=5745 PROTO=TCP SPT=21735 DPT=56715 WINDOW=0 RES=0x00 ACK RST URGP=0
I have used
conntrack -E -o timestamp
and added logging with
echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid
from what I can see there is no "kernel: nf_ct_tcp: " entries at the moment of the DROP of ACK RST
and there is an entry in conntrack for this session that should allow ACK RST to terminate that session .
when I do :
zotac:~ # journalctl | grep nf_ct | grep " ACK RST " | grep -v " ACK RST FIN "
May 26 22:35:31 zotac kernel: nf_ct_tcp: invalid RST IN= OUT= SRC=# DST=81.233.185.232 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=14841 PROTO=TCP SPT=7905 DPT=56206 SEQ=2244837322 ACK=835716258 WINDOW=0 RES=0x00 ACK RST URGP=0
I only find ONE result , but when I do :
zotac:~ # journalctl | grep INVALID | grep " ACK RST " | grep -v " ACK RST FIN " | grep "May 2[678]" | wc
1590 38480 412611
I should have atleast 1000 + more nf_ct log entries to match all my INVALID ACK RST log entries .
I have tried to spot some issues with TCPDUMPs , but all packets seems like normal ACK RST when I try to get same result "manually" by sending SYN packets "I just used "telnet IP PORT" to a port I found in my log ...
I see the ACK RST telling me the port is blocked and I can't seem to find any issues with the packet !
Best regards
André Paulsberg-Csibi
Senior Network Engineer
Fault Handling
IBM Services AS
andre.paulsberg-csibi@evry.com
next reply other threads:[~2016-05-29 10:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-29 10:42 André Paulsberg-Csibi (IBM Consultant) [this message]
2016-05-29 17:52 ` No sign of INVALID packet , LOGS DROP but not reason Noel Kuntze
2016-05-30 8:17 ` André Paulsberg-Csibi (IBM Consultant)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464518566817.52562@evry.com \
--to=andre.paulsberg-csibi@evry.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox