From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Something weird
Date: Wed, 01 Oct 2008 09:59:52 -0500 [thread overview]
Message-ID: <48E39068.9020908@riverviewtech.net> (raw)
In-Reply-To: <200810011151.53192.mveloso@tecnologiaip.com.br>
On 10/01/08 09:51, Marcio Veloso Antunes wrote:
> I found out what is happening, it is exactly what you've said.
*nod*
> The reason this occurs is related to conntrack, the specific route is
> getting up after the first packet leaves the internal network (via
> VPN interface, without masquerade), then when the specific route
> enters, the connection has been established already.
That will do it.
> Even when the interface changes from TUN0 to PPP0 the connection
> persists and the packets keep NOT being re-verified.
'k
> I don't know if it can be considered a Bug, but it seems to me an odd
> situation as the interface have changed, other networks will be
> crossed, i think the rules should be re-validated, don't you ?
I don't know if it is a bug per say or not. I would guess it has to do
with whether or not the connection tracking code in kernel is aware of
interface / network / route state changes or not. If it is unaware of
state changes then it is not possible for connection tracking to know
that something is amiss. If it is aware of state change then I would
think that it should trap for this and handle it more gracefully than it
did, thus a possible bug. But seeing as how I don't get that deep in to
kernel I can't say one way or the other.
> root@fw:/proc/net# grep 172.18.0.13 ip_conntrack
> udp 17 2809 src=172.18.0.13 dst=200.198.184.204 sport=5060
> dport=5060 packets=977 bytes=537937 src=200.198.184.204
> dst=172.18.0.13 sport=5060 dport=5060 packets=30 bytes=16384
> [ASSURED] mark=0 use=1
Would it be possible to DROP the traffic before the VPN comes up such
that the connection would never be successfully established and then
allow the traffic once the VPN is up? Hopefully this would allow
connection tracking to track the traffic on the proper interface. Also,
make sure you use a DROP not a REJECT as you don't want to return an
error the the client application(s) thus causing them to give up rather
than timing out and re-trying like they would if the traffic was just
DROPed and lost in the ether.
> Thanks for your help,
If you consider a direction to look with out an answer help, you are
welcome. ;)
Grant. . . .
prev parent reply other threads:[~2008-10-01 14:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-01 11:34 Something weird Marcio Veloso Antunes
2008-10-01 14:13 ` Grant Taylor
2008-10-01 14:51 ` Marcio Veloso Antunes
2008-10-01 14:59 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E39068.9020908@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox