bugzilla-daemon at netfilter.org
2014-Aug-07 21:09 UTC
[Bug 968] New: CONNMARK failing open silently?
https://bugzilla.netfilter.org/show_bug.cgi?id=968
Summary: CONNMARK failing open silently?
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nf_conntrack
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: hazael+netfilter at google.com
Estimated Hours: 0.0
Repeatedly connmarking the same flow seems to cause that flow not to get
matched at times:
iptables -Z OUTPUT
(wait some time)
iptables -L OUTPUT -nv
Chain OUTPUT (policy ACCEPT 4780 packets, 494K bytes)
pkts bytes target prot opt in out source destination
6664 658K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK set 0x1
5367 547K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
connmark match 0x1
2 92 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4
The resulting 2 log lines:
[13975.853660] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00
TTL=64 ID=58972 DF PROTO=TCP SPT=59106 DPT=53116 WINDOW=350 RES=0x00 ACK FIN
URGP=0
[13975.853707] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=20857 DF PROTO=TCP SPT=53116 DPT=59106 WINDOW=0 RES=0x00 RST URGP=0
This doesn't just happen to localhost, I just happened to only get localhost
entries in this attempt.
According to conntrack -L:
conntrack v1.0.0 (conntrack-tools): 439 flow entries have been shown.
My completely uneducated guess is that some conntrack queue is spilling over
without indication.
While this is definitely a poor example (using plain MARKs or accepting
established traffic prior works fine) I still feel this is a bug... repeatedly
marking the same set of traffic shouldn't randomly unmark packets (or at the
very least it should complain loudly about it.)
Tested on a 3.13 kernel, iptables version v1.4.12
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Oct-23 12:19 UTC
[Bug 968] CONNMARK failing open silently?
https://bugzilla.netfilter.org/show_bug.cgi?id=968
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Packets can be classify as INVALID by the connection tracking. You have to
update your configuration to catch that case too.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141023/0a3cfd7e/attachment.html>
bugzilla-daemon at netfilter.org
2014-Oct-24 17:52 UTC
[Bug 968] CONNMARK failing open silently?
https://bugzilla.netfilter.org/show_bug.cgi?id=968
Hazael Sanchez <hazael+netfilter at google.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |INVALID
--- Comment #2 from Hazael Sanchez <hazael+netfilter at google.com> ---
Doh, I forgot to take that into consideration. That did the trick.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141024/6da953f2/attachment.html>