search for: ctdir

...Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain FI-vnet0 (1 references) > target prot opt source destination > RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL > RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED ctdir ORIGINAL > RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY > RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53...

...e rules from my old box did not reveal anything suspicious to me. However, through just pure guesswork, I managed to ocasionally "fix" the problem by manually editing 3 relevant rules as follows: --A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir ORIGINAL -j RETURN +-A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir REPLY -j RETURN --A FO-vnet0 -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -m conntrack --ctdir REPLY -j ACCEPT +-A FO-vnet0 -p tcp -m tcp --dport 110 -m conntrack...

...debug i looked at the iptables rules. We see that no packet go to the rules for the filter : Chain FI-vnet0 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY 0 0 RETURN tcp -- * * 0.0.0.0/0 192.168.150.50 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FO-vnet0 (1 references) pkts bytes target prot opt in out source destination...

...eived, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 13.225/13.703/14.182/0.492 ms root@nwfilter-test:~# Looking at iptables-save it seems like the right rules are programmed: -A FI-vnet1 -p icmp -j RETURN -A FI-vnet1 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir REPLY -j RETURN -A FI-vnet1 -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir REPLY -j RETURN -A FI-vnet1 -j REJECT --reject-with icmp-port-unreachable -A FO-vnet1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FO-vnet1 -p icmp -j RETURN -A FO-vnet1 -p tcp -m...

...iven as above: --8<---------------cut here---------------start------------->8--- root:~# iptables -L HI-vnet5 Chain HI-vnet5 (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ctdir ORIGINAL DROP all -- anywhere anywhere root:~# --8<---------------cut here---------------end--------------->8--- The chain relations are: INPUT -> libvirt-host-in -> HI-vnet5. The interesting thing is: If I insert the same rule again, but with ctdir reversed, eve...

...#39; comment='test test test'/> </rule> </filter> but i get strange results (look at the attached output of iptables-save) for me it looks like the direction='out' filters are attached to every chain for this domain. additional there are wrong conntrack, state and ctdir matches. is this a bug or my fault? /stephan -- Software is like sex, it's better when it's free!