bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-13 06:22 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com ------- Additional Comments From netfilter@linuxace.com 2006-04-13 06:22 MET ------- Likely because the state INVALID matches more frequently in more recent kernels (due to TCP window tracking). Do this: echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid then try your tests again, and check what is logged in /var/log/messages -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-13 06:22 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com ------- Additional Comments From netfilter@linuxace.com 2006-04-13 06:22 MET ------- Likely because the state INVALID matches more frequently in more recent kernels (due to TCP window tracking). Do this: echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid then try your tests again, and check what is logged in /var/log/messages -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-15 17:45 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-15 17:45 MET ------- I checked again. BTW, I am now running 2.6.16. With the log_invalid setting as proposed, I did not see anything in the logs. Nevertheless the counter for the work-around rule increases. I found a website that reliably triggers the effect for me is sipgate.de, the login form which changes to https (A VoIP provider, standard service is free of charge, includes a german dial-in number, not need to give more details than a street address, in case you want to test them). For obscure reasons, the first https packet that arrives from the server is not matched as related or established, although at least in a tcpdump my https syn packet goes out first (what else). All other packets of the connection are threaded as established. Maybe it is a timing issue or clamp-mss related? Bye, Joerg -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-15 17:45 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-15 17:45 MET ------- I checked again. BTW, I am now running 2.6.16. With the log_invalid setting as proposed, I did not see anything in the logs. Nevertheless the counter for the work-around rule increases. I found a website that reliably triggers the effect for me is sipgate.de, the login form which changes to https (A VoIP provider, standard service is free of charge, includes a german dial-in number, not need to give more details than a street address, in case you want to test them). For obscure reasons, the first https packet that arrives from the server is not matched as related or established, although at least in a tcpdump my https syn packet goes out first (what else). All other packets of the connection are threaded as established. Maybe it is a timing issue or clamp-mss related? Bye, Joerg -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-15 17:45 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-15 17:45 MET ------- I checked again. BTW, I am now running 2.6.16. With the log_invalid setting as proposed, I did not see anything in the logs. Nevertheless the counter for the work-around rule increases. I found a website that reliably triggers the effect for me is sipgate.de, the login form which changes to https (A VoIP provider, standard service is free of charge, includes a german dial-in number, not need to give more details than a street address, in case you want to test them). For obscure reasons, the first https packet that arrives from the server is not matched as related or established, although at least in a tcpdump my https syn packet goes out first (what else). All other packets of the connection are threaded as established. Maybe it is a timing issue or clamp-mss related? Bye, Joerg -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-15 19:26 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-04-15 19:25 MET ------- Please provide the full output from iptables -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-15 19:26 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From netfilter@linuxace.com 2006-04-15 19:25 MET ------- Please provide the full output from iptables -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:24 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:24 MET ------- (In reply to comment #3)> Please provide the full output from iptables -nvLas attachment. The rules in question are in chain checkblock, which is referenced from INPUT and FORWARD -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:24 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:24 MET ------- (In reply to comment #3)> Please provide the full output from iptables -nvLas attachment. The rules in question are in chain checkblock, which is referenced from INPUT and FORWARD -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:24 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:24 MET ------- (In reply to comment #3)> Please provide the full output from iptables -nvLas attachment. The rules in question are in chain checkblock, which is referenced from INPUT and FORWARD -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:25 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:25 MET ------- Created an attachment (id=226) --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=226&action=view) Output of iptables -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:25 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:25 MET ------- Created an attachment (id=226) --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=226&action=view) Output of iptables -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Apr-16 10:25 UTC
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464 ------- Additional Comments From joerg@dorchain.net 2006-04-16 10:25 MET ------- Created an attachment (id=226) --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=226&action=view) Output of iptables -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.