bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-03 13:13 UTC
[Bug 792] New: ip_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 Summary: ip_conntrack keep updating incorrect entry in conntrack table after default routing changed Product: netfilter/iptables Version: linux-2.6.x Platform: x86_64 OS/Version: Fedora Status: NEW Severity: minor Priority: P5 Component: ip_conntrack AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: wjguo.netfilterbug at cs.nctu.edu.tw Estimated Hours: 0.0 My server has two outgoing interface set with SNAT. One of them is disconnected, and also as default route. ( interface A, 60.60.60.1) The other one is connected and workable (interface B, 10.10.10.1) It has one incoming interface connected with my PC. (192.168.1.0/24) The reproduce steps are: 1. Using the host under NAT to ping outside like 8.8.8.8. (Windows, with -t) 2. Changing routing from the gateway of interface A (A is not ok) to the gateway of B( B is ok). 3. The host cannot ping successfully. I thought it should ping outside successfully, but it didn't. I captured the packets, and analyzed that it routed to interface B but the source IP which is modified to 60.60.60.1(A's IP) instead of 10.10.10.1(B's IP). It was incorrect. The root cause is that conntrack was still matching the old record and update its timer. So, it needed that I stop to ping for 30s, or deleting the record manually. So, I doubted why it happends only on ICMP, but TCP and UDP not. I traced the conntrack code, the code of matching the record shows that ICMP only compares "id, type, code". Those fields are fixed even thought you create new packets. ICMP always match old one and update its expire time. I guess that the best way is to compare sequence in ICMP protocol. As for TCP and UDP, because source IP is generated randomly. So it didn't match old one but created new one. This is why TCP and UDP are not effected. This a little problem. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-04 02:38 UTC
[Bug 792] ip_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 Bruce <wjguo.netfilterbug at cs.nctu.edu.tw> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wjguo.netfilterbug at cs.nctu. | |edu.tw Component|ip_conntrack |nf_conntrack -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-04 02:40 UTC
[Bug 792] nf_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 Bruce <wjguo.netfilterbug at cs.nctu.edu.tw> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ip_conntrack keep updating |nf_conntrack keep updating |incorrect entry in |incorrect entry in |conntrack table after |conntrack table after |default routing changed |default routing changed -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-08 20:03 UTC
[Bug 792] nf_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 Jan Engelhardt <jengelh at medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh at medozas.de AssignedTo|netfilter-buglog at lists.netf |pablo at netfilter.org |ilter.org | -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-09 00:34 UTC
[Bug 792] nf_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2012-06-09 02:34:25 CEST --- This is the record for three consecutive different ping with Linux: # conntrack -L -p icmp icmp 1 27 src=192.168.1.134 dst=8.8.8.8 type=8 code=0 id=2765 src=8.8.8.8 dst=192.168.1.134 type=0 code=0 id=2765 mark=0 use=1 icmp 1 25 src=192.168.1.134 dst=8.8.8.8 type=8 code=0 id=2763 src=8.8.8.8 dst=192.168.1.134 type=0 code=0 id=2763 mark=0 use=1 icmp 1 28 src=192.168.1.134 dst=8.8.8.8 type=8 code=0 id=2767 src=8.8.8.8 dst=192.168.1.134 type=0 code=0 id=2767 mark=0 use=1 Note that ICMP ID is always different. This seems to be a Windows issue. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.netfilter.org
2012-Jun-15 03:50 UTC
[Bug 792] nf_conntrack keep updating incorrect entry in conntrack table after default routing changed
http://bugzilla.netfilter.org/show_bug.cgi?id=792 --- Comment #2 from Bruce <wjguo.netfilterbug at cs.nctu.edu.tw> 2012-06-15 05:50:49 CEST --- Dear Pablo Neira Ayuso: I'm sorry that I'm too late to reply you. You are right. I forget to observe ID number in ICMP protocol. I just tried on Windows and Linux (busybox). In Windows, it always uses the same number as ICMP's ID, so it hits the old record and then the ping fails. In Linux, the implementation of busybox ping uses getpid() as the ID. So, I execute ping and ctrl + ^D many times. Sometimes I get the same pid of ping or the different pid. When I get the different pid, executing ping is successful. So, usually only Windows has this issue. Thanks for help. :) -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes. You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 792] nf_conntrack keep updating incorrect entry in conntrack table after default routing changed
- ip_conntrack: falling back to vmalloc.
- [Bug 612] New: conntrack returns src, dst, dport and sport all zeroed
- [Bug 49] TCP conntrack entries with huge timeouts
- ip_conntrack: table full, dropping packet.