netfilter buglog - May 2006 - [Bug 464] state match sometimes failes RELATED,ESTABLISHED matches

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-13 19:12 MET
-------
Please add a -j LOG immediately after your "state RELATED,ESTABLISHED"
for state
INVALID packets. i.e.:

-m state --state INVALID -j LOG

see if you get hits on that rule.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-13 19:12 MET
-------
Please add a -j LOG immediately after your "state RELATED,ESTABLISHED"
for state
INVALID packets. i.e.:

-m state --state INVALID -j LOG

see if you get hits on that rule.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-17 12:13 MET
-------
I added
checkblock -m state --state INVALID -j LOG --log-prefix "Invalid match:
"
--log-level 5
directly after the -m state --state RELATED,ESTABLISHED rule

I get many hits. The most recent examples are:
May 17 06:35:33 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=83.6.229.113
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=17271
PROTO=TCP SPT=113 DPT=47278 WINDOW=0 RES=0x00 ACK RST URGP=0
May 17 09:36:16 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=201.15.156.90
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=18238
PROTO=TCP SPT=113 DPT=55518 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
May 17 09:37:14 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=61.77.124.119
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=33521
PROTO=TCP SPT=113 DPT=47544 WINDOW=0 RES=0x00 ACK RST URGP=0

I did not try the website where the change from http to https triggers it.

If you need more information just tell.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-17 12:13 MET
-------
I added
checkblock -m state --state INVALID -j LOG --log-prefix "Invalid match:
"
--log-level 5
directly after the -m state --state RELATED,ESTABLISHED rule

I get many hits. The most recent examples are:
May 17 06:35:33 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=83.6.229.113
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=17271
PROTO=TCP SPT=113 DPT=47278 WINDOW=0 RES=0x00 ACK RST URGP=0
May 17 09:36:16 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=201.15.156.90
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=18238
PROTO=TCP SPT=113 DPT=55518 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
May 17 09:37:14 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=61.77.124.119
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=33521
PROTO=TCP SPT=113 DPT=47544 WINDOW=0 RES=0x00 ACK RST URGP=0

I did not try the website where the change from http to https triggers it.

If you need more information just tell.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-17 12:13 MET
-------
I added
checkblock -m state --state INVALID -j LOG --log-prefix "Invalid match:
"
--log-level 5
directly after the -m state --state RELATED,ESTABLISHED rule

I get many hits. The most recent examples are:
May 17 06:35:33 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=83.6.229.113
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=17271
PROTO=TCP SPT=113 DPT=47278 WINDOW=0 RES=0x00 ACK RST URGP=0
May 17 09:36:16 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=201.15.156.90
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=18238
PROTO=TCP SPT=113 DPT=55518 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
May 17 09:37:14 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=61.77.124.119
DST=212.88.133.153 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=33521
PROTO=TCP SPT=113 DPT=47544 WINDOW=0 RES=0x00 ACK RST URGP=0

I did not try the website where the change from http to https triggers it.

If you need more information just tell.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-18 03:04 MET
-------
can you try the problematic website and see if the log triggers?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-18 03:04 MET
-------
can you try the problematic website and see if the log triggers?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-18 21:07 MET
-------
Yes, it does:
May 18 20:36:45 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=217.10.79.19
DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=35499 DF
PROTO=TCP SPT=35742 DPT=49165 WINDOW=9190 RES=0x00 ACK RST URGP=0 

I am confused about this in several ways:
- unknown src and dst port
- The webbrowser is on the internal site of the NAT. Nevertheless filter sees it
with the outside IP as dst. The outgoing interface should be eth1.

Any more ideas to debug this further? I can also provide tcpdumps if that helps.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-18 21:07 MET
-------
Yes, it does:
May 18 20:36:45 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=217.10.79.19
DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=35499 DF
PROTO=TCP SPT=35742 DPT=49165 WINDOW=9190 RES=0x00 ACK RST URGP=0 

I am confused about this in several ways:
- unknown src and dst port
- The webbrowser is on the internal site of the NAT. Nevertheless filter sees it
with the outside IP as dst. The outgoing interface should be eth1.

Any more ideas to debug this further? I can also provide tcpdumps if that helps.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-18 21:07 MET
-------
Yes, it does:
May 18 20:36:45 Redstar kernel: Invalid match: IN=ppp0 OUT= MACSRC=217.10.79.19
DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=35499 DF
PROTO=TCP SPT=35742 DPT=49165 WINDOW=9190 RES=0x00 ACK RST URGP=0 

I am confused about this in several ways:
- unknown src and dst port
- The webbrowser is on the internal site of the NAT. Nevertheless filter sees it
with the outside IP as dst. The outgoing interface should be eth1.

Any more ideas to debug this further? I can also provide tcpdumps if that helps.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-28 02:00 MET
-------
Could you try eliminating the rules using the "recent" match, and see
if that
helps?  There are a number of problems with that match in 2.6.16 (which Patrick
is thankfully working on correcting via a rewrite).

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From netfilter@linuxace.com  2006-05-28 02:00 MET
-------
Could you try eliminating the rules using the "recent" match, and see
if that
helps?  There are a number of problems with that match in 2.6.16 (which Patrick
is thankfully working on correcting via a rewrite).

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-31 21:01 MET
-------
I removed all -m recent matched and unloaded the ipt-recent kernel module.
The behaviour is unchanged, i.e. I still get matches on the invalid rules after
the -m state RELATED, ESTABLISHED rule.
The test website is amongst the one triggering the rule:
May 31 20:34:21 Redstar kernel: Invalid match: IN=ppp0 OUT= MAC= SRC=217.10.79.1
9 DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=19116 DF PROTO=TCP
SPT42603 DPT=49178 WINDOW=8140 RES=0x00 ACK RST URGP=0

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-31 21:01 MET
-------
I removed all -m recent matched and unloaded the ipt-recent kernel module.
The behaviour is unchanged, i.e. I still get matches on the invalid rules after
the -m state RELATED, ESTABLISHED rule.
The test website is amongst the one triggering the rule:
May 31 20:34:21 Redstar kernel: Invalid match: IN=ppp0 OUT= MAC= SRC=217.10.79.1
9 DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=19116 DF PROTO=TCP
SPT42603 DPT=49178 WINDOW=8140 RES=0x00 ACK RST URGP=0

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464





------- Additional Comments From joerg@dorchain.net  2006-05-31 21:01 MET
-------
I removed all -m recent matched and unloaded the ipt-recent kernel module.
The behaviour is unchanged, i.e. I still get matches on the invalid rules after
the -m state RELATED, ESTABLISHED rule.
The test website is amongst the one triggering the rule:
May 31 20:34:21 Redstar kernel: Invalid match: IN=ppp0 OUT= MAC= SRC=217.10.79.1
9 DST=212.88.133.153 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=19116 DF PROTO=TCP
SPT42603 DPT=49178 WINDOW=8140 RES=0x00 ACK RST URGP=0

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.