Re: 2.6.12 netfilter: local packets marked as invalid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel Drake wrote:
When retrying the telnet test, this appears in the logs:

Jul  8 14:53:04 dsd inv IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=15 DF PROTO=TCP SPT=80 DPT=58950 WINDOW=0
RES=0x00 ACK RST URGP=0

Does this mean that the kernel thinks its own ACK RST packet is invalid?

I think I know what happens. In 2.6.12 we started dropping the conntrack
reference when a packet leaves IP, so packets on loopback are tracked
twice (LOCAL_OUT/PRE_ROUTING). TCP connection tracking destroys a
conntrack entry when the only reply is an RST. So when the packet is
tracked for the second time in PRE_ROUTING, the conntrack entry can't
be found anymore and the packet is considered invalid.

You could confirm this theory by logging invalid packets in LOCAL_OUT
and in PRE_ROUTING - only PRE_ROUTING should trigger. I'm going to
think about a solution meanwhile.

Regards
Patrick

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux