udp connection moved from ASSURED to UNREPLIED

udp connection moved from ASSURED to UNREPLIED

[Aymeric Moizard]

I've got a linux debian running 2.6.24-1-amd64 and iptables v1.4.0
It's my NAT box and is connected to a dsl box using DHCP from which I
get a public IP on eth0 and my LAN is connected using eth1.

I got established UDP connection initiated from LAN to a public
server:

ipv4     2 udp      17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010 
dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX 
sport=5060 dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 
use=1

This connection was initiated by 192.168.2.50, but most packets are coming 
from 212.27.XX.X: those packets are meant to be "keep-alive" packets to
hold the UDP binding opened for a VoIP application.

Each 30minutes, the box is sengind an ARP request and suddenly, the 
incoming packets from 212.27.XX.X gets rejected with icmp "port 
unreachable" as if the conntrack was deleted upon receiving the arp 
request from the dsl box.

Right after this packet was refused, the conntrack for the entrie
dissapear and gets back to a new one [UNREPLIED] as soon as a packet
from server is received:

ipv4     2 udp      17 28 src=212.27.52.5 dst=88.171.117.238 sport=5060 
dport=6010 packets=1 bytes=60 [UNREPLIED] src=88.171.117.238 
dst=212.27.52.5 sport=6010 dport=5060 packets=0 bytes=0 mark=0 secmark=0 
use=1

As you can see conntrack does not remember any more that I was sending
UDP packets before: in the above case, the last outgoing UDP packet
was sent less than 20 seconds before this happen.

It looks to me that arp doesn't affect any existing TCP connection: 
however UDP connection gets destroyed.

I'm searching for help to avoid the removal of my UDP conntrack entry.

tks,
Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com
osip2 - http://www.osip.org
eXosip2 - http://savannah.nongnu.org/projects/exosip/

Re: udp connection moved from ASSURED to UNREPLIED

[Jan Engelhardt]

On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>
>
> ipv4     2 udp      17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX sport=5060
> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1

Hiding IP addresses is totally meaninless, we all know it is
88.171.117.238--212.27.52.5 you are talking to. That probably
does not even buy us a beer. Anyway...

> Each 30minutes, the box is sengind an ARP request and suddenly, the incoming
> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if the
> conntrack was deleted upon receiving the arp request from the dsl box.

So, throw up the conntrack event listener (`conntrack -E`) next
to a tcpdump and see what happens on the conntrack table when
that ARP is seen.

Or maybe your keepalive packets come in intervals less than the
UDP timeout.

Re: udp connection moved from ASSURED to UNREPLIED

[Aymeric Moizard]

On Sat, 26 Apr 2008, Jan Engelhardt wrote:

>
> On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>>
>>
>> ipv4     2 udp      17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
>> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX sport=5060
>> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1
>
> Hiding IP addresses is totally meaninless, we all know it is
> 88.171.117.238--212.27.52.5 you are talking to. That probably
> does not even buy us a beer. Anyway...
>
>> Each 30minutes, the box is sengind an ARP request and suddenly, the incoming
>> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if the
>> conntrack was deleted upon receiving the arp request from the dsl box.
>
> So, throw up the conntrack event listener (`conntrack -E`) next
> to a tcpdump and see what happens on the conntrack table when
> that ARP is seen.

Among the event I get from "conntrack -E":

[DESTROY] udp      17 src=192.168.2.50 dst=212.27.52.5 sport=6010
dport=5060 packets=12 bytes=3102 src=212.27.52.5 dst=88.171.117.238
sport=5060 dport=6010 packets=75 bytes=6667

all other udp connections are getting destroyed as well.

> Or maybe your keepalive packets come in intervals less than the
> UDP timeout.

Sure they don't. It also happen with RTP/UDP stream: (packet in each 
direction each 20ms).

If you wish any other information, capture, log, beers, please ask!

tks,
Aymeric

Re: udp connection moved from ASSURED to UNREPLIED

[Aymeric Moizard]

Problem solved: I swithed from MASQUERADE to SNAT and the issue
was solved. I don't know yet the difference between them but I'll
look in the documentation.

tks for your help,
Aymeric MOIZARD / ANTISIP
amsip - http://www.antisip.com
osip2 - http://www.osip.org
eXosip2 - http://savannah.nongnu.org/projects/exosip/


On Sun, 27 Apr 2008, Aymeric Moizard wrote:

>
>
> On Sat, 26 Apr 2008, Jan Engelhardt wrote:
>
>> 
>> On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>>> 
>>> 
>>> ipv4     2 udp      17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
>>> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX 
>>> sport=5060
>>> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1
>> 
>> Hiding IP addresses is totally meaninless, we all know it is
>> 88.171.117.238--212.27.52.5 you are talking to. That probably
>> does not even buy us a beer. Anyway...
>> 
>>> Each 30minutes, the box is sengind an ARP request and suddenly, the 
>>> incoming
>>> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if 
>>> the
>>> conntrack was deleted upon receiving the arp request from the dsl box.
>> 
>> So, throw up the conntrack event listener (`conntrack -E`) next
>> to a tcpdump and see what happens on the conntrack table when
>> that ARP is seen.
>
> Among the event I get from "conntrack -E":
>
> [DESTROY] udp      17 src=192.168.2.50 dst=212.27.52.5 sport=6010
> dport=5060 packets=12 bytes=3102 src=212.27.52.5 dst=88.171.117.238
> sport=5060 dport=6010 packets=75 bytes=6667
>
> all other udp connections are getting destroyed as well.
>
>> Or maybe your keepalive packets come in intervals less than the
>> UDP timeout.
>
> Sure they don't. It also happen with RTP/UDP stream: (packet in each 
> direction each 20ms).
>
> If you wish any other information, capture, log, beers, please ask!
>
> tks,
> Aymeric
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: udp connection moved from ASSURED to UNREPLIED

[Pascal Hambourg]

Hello,

Aymeric Moizard a écrit :
> 
> Problem solved: I swithed from MASQUERADE to SNAT and the issue
> was solved. I don't know yet the difference between them but I'll
> look in the documentation.

Connections which were modified by MASQUERADE are flushed from the 
conntrack table when the related interface goes down or its IP address 
changes. Connections which were modified by SNAT are not affected by 
these events.