* udp connection moved from ASSURED to UNREPLIED
@ 2008-04-26 14:07 Aymeric Moizard
2008-04-26 18:15 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Aymeric Moizard @ 2008-04-26 14:07 UTC (permalink / raw)
To: netfilter
I've got a linux debian running 2.6.24-1-amd64 and iptables v1.4.0
It's my NAT box and is connected to a dsl box using DHCP from which I
get a public IP on eth0 and my LAN is connected using eth1.
I got established UDP connection initiated from LAN to a public
server:
ipv4 2 udp 17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX
sport=5060 dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0
use=1
This connection was initiated by 192.168.2.50, but most packets are coming
from 212.27.XX.X: those packets are meant to be "keep-alive" packets to
hold the UDP binding opened for a VoIP application.
Each 30minutes, the box is sengind an ARP request and suddenly, the
incoming packets from 212.27.XX.X gets rejected with icmp "port
unreachable" as if the conntrack was deleted upon receiving the arp
request from the dsl box.
Right after this packet was refused, the conntrack for the entrie
dissapear and gets back to a new one [UNREPLIED] as soon as a packet
from server is received:
ipv4 2 udp 17 28 src=212.27.52.5 dst=88.171.117.238 sport=5060
dport=6010 packets=1 bytes=60 [UNREPLIED] src=88.171.117.238
dst=212.27.52.5 sport=6010 dport=5060 packets=0 bytes=0 mark=0 secmark=0
use=1
As you can see conntrack does not remember any more that I was sending
UDP packets before: in the above case, the last outgoing UDP packet
was sent less than 20 seconds before this happen.
It looks to me that arp doesn't affect any existing TCP connection:
however UDP connection gets destroyed.
I'm searching for help to avoid the removal of my UDP conntrack entry.
tks,
Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com
osip2 - http://www.osip.org
eXosip2 - http://savannah.nongnu.org/projects/exosip/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: udp connection moved from ASSURED to UNREPLIED
2008-04-26 14:07 udp connection moved from ASSURED to UNREPLIED Aymeric Moizard
@ 2008-04-26 18:15 ` Jan Engelhardt
2008-04-26 23:09 ` Aymeric Moizard
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2008-04-26 18:15 UTC (permalink / raw)
To: Aymeric Moizard; +Cc: netfilter
On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>
>
> ipv4 2 udp 17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX sport=5060
> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1
Hiding IP addresses is totally meaninless, we all know it is
88.171.117.238--212.27.52.5 you are talking to. That probably
does not even buy us a beer. Anyway...
> Each 30minutes, the box is sengind an ARP request and suddenly, the incoming
> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if the
> conntrack was deleted upon receiving the arp request from the dsl box.
So, throw up the conntrack event listener (`conntrack -E`) next
to a tcpdump and see what happens on the conntrack table when
that ARP is seen.
Or maybe your keepalive packets come in intervals less than the
UDP timeout.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: udp connection moved from ASSURED to UNREPLIED
2008-04-26 18:15 ` Jan Engelhardt
@ 2008-04-26 23:09 ` Aymeric Moizard
2008-04-27 17:42 ` Aymeric Moizard
0 siblings, 1 reply; 5+ messages in thread
From: Aymeric Moizard @ 2008-04-26 23:09 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
On Sat, 26 Apr 2008, Jan Engelhardt wrote:
>
> On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>>
>>
>> ipv4 2 udp 17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
>> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX sport=5060
>> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1
>
> Hiding IP addresses is totally meaninless, we all know it is
> 88.171.117.238--212.27.52.5 you are talking to. That probably
> does not even buy us a beer. Anyway...
>
>> Each 30minutes, the box is sengind an ARP request and suddenly, the incoming
>> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if the
>> conntrack was deleted upon receiving the arp request from the dsl box.
>
> So, throw up the conntrack event listener (`conntrack -E`) next
> to a tcpdump and see what happens on the conntrack table when
> that ARP is seen.
Among the event I get from "conntrack -E":
[DESTROY] udp 17 src=192.168.2.50 dst=212.27.52.5 sport=6010
dport=5060 packets=12 bytes=3102 src=212.27.52.5 dst=88.171.117.238
sport=5060 dport=6010 packets=75 bytes=6667
all other udp connections are getting destroyed as well.
> Or maybe your keepalive packets come in intervals less than the
> UDP timeout.
Sure they don't. It also happen with RTP/UDP stream: (packet in each
direction each 20ms).
If you wish any other information, capture, log, beers, please ask!
tks,
Aymeric
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: udp connection moved from ASSURED to UNREPLIED
2008-04-26 23:09 ` Aymeric Moizard
@ 2008-04-27 17:42 ` Aymeric Moizard
2008-04-29 23:45 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: Aymeric Moizard @ 2008-04-27 17:42 UTC (permalink / raw)
To: netfilter
Problem solved: I swithed from MASQUERADE to SNAT and the issue
was solved. I don't know yet the difference between them but I'll
look in the documentation.
tks for your help,
Aymeric MOIZARD / ANTISIP
amsip - http://www.antisip.com
osip2 - http://www.osip.org
eXosip2 - http://savannah.nongnu.org/projects/exosip/
On Sun, 27 Apr 2008, Aymeric Moizard wrote:
>
>
> On Sat, 26 Apr 2008, Jan Engelhardt wrote:
>
>>
>> On Saturday 2008-04-26 16:07, Aymeric Moizard wrote:
>>>
>>>
>>> ipv4 2 udp 17 178 src=192.168.2.50 dst=212.27.XX.X sport=6010
>>> dport=5060 packets=48 bytes=4074 src=212.27.XX.X dst=88.171.XX.XX
>>> sport=5060
>>> dport=6010 packets=379 bytes=24499 [ASSURED] mark=0 secmark=0 use=1
>>
>> Hiding IP addresses is totally meaninless, we all know it is
>> 88.171.117.238--212.27.52.5 you are talking to. That probably
>> does not even buy us a beer. Anyway...
>>
>>> Each 30minutes, the box is sengind an ARP request and suddenly, the
>>> incoming
>>> packets from 212.27.XX.X gets rejected with icmp "port unreachable" as if
>>> the
>>> conntrack was deleted upon receiving the arp request from the dsl box.
>>
>> So, throw up the conntrack event listener (`conntrack -E`) next
>> to a tcpdump and see what happens on the conntrack table when
>> that ARP is seen.
>
> Among the event I get from "conntrack -E":
>
> [DESTROY] udp 17 src=192.168.2.50 dst=212.27.52.5 sport=6010
> dport=5060 packets=12 bytes=3102 src=212.27.52.5 dst=88.171.117.238
> sport=5060 dport=6010 packets=75 bytes=6667
>
> all other udp connections are getting destroyed as well.
>
>> Or maybe your keepalive packets come in intervals less than the
>> UDP timeout.
>
> Sure they don't. It also happen with RTP/UDP stream: (packet in each
> direction each 20ms).
>
> If you wish any other information, capture, log, beers, please ask!
>
> tks,
> Aymeric
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: udp connection moved from ASSURED to UNREPLIED
2008-04-27 17:42 ` Aymeric Moizard
@ 2008-04-29 23:45 ` Pascal Hambourg
0 siblings, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2008-04-29 23:45 UTC (permalink / raw)
To: Aymeric Moizard; +Cc: netfilter
Hello,
Aymeric Moizard a écrit :
>
> Problem solved: I swithed from MASQUERADE to SNAT and the issue
> was solved. I don't know yet the difference between them but I'll
> look in the documentation.
Connections which were modified by MASQUERADE are flushed from the
conntrack table when the related interface goes down or its IP address
changes. Connections which were modified by SNAT are not affected by
these events.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-04-29 23:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-26 14:07 udp connection moved from ASSURED to UNREPLIED Aymeric Moizard
2008-04-26 18:15 ` Jan Engelhardt
2008-04-26 23:09 ` Aymeric Moizard
2008-04-27 17:42 ` Aymeric Moizard
2008-04-29 23:45 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox