Re: iptables conntrack: packets not matching a rule occasionally?

Marc Schiffbauer wrote:
>
> Aug 1 15:31:50 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=a.x.x.x DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=64148 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 SYN URGP=0
> Aug 1 15:31:51 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=b.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55422 DF PROTO=TCP SPT=2433 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug 1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=38797 DF PROTO=TCP SPT=4404 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug 1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=2067 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 ACK URGP=0
> Aug 1 15:31:52 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=d.x.x.x DST=a.b.c.d LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=47854 DF PROTO=TCP SPT=12768 DPT=80 WINDOW=57344 RES=0x00 SYN URGP=0
>
>
> I tried it without connection tracking for port 80: No dropped
> packets! So it seems related to conntrack
>
> Has anybody an Idea what could be the cause of this?

IIRC there is a FAQ on netfilter that explains the problem (I had the same problem), in short (if IIRC): netfilter has some problem with the ACK FIN, but the developers didn't find a right test to find to debug the problem.

It is probably a problem of timing or of dropped packed, so that netfilter drop to early a connection.

ciao

        cate

-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org