Re: PATCH: "invalid SYNIN=" - a patch and a question (fwd)

Krzysztof Oledzki <ole@xxxxxx> · Thu, 11 Oct 2007 23:17:17 +0200 (CEST)

Hello,

It seems that vger is little to restrictive:

<netfilter-devel@xxxxxxxxxxxxxxx>
    (reason: 550 5.7.1 Content-Policy reject msg: The message contains HTML subpart, therefore we consider it SPAM orOutlook Virus.  TEXT/PLAIN is accepted.! BF:<H 2.08683e-12>; S1755231AbXJKU7g)

Forwared with questione parts removed...

---------- Forwarded message ----------
Date: Thu, 11 Oct 2007 22:59:21 +0200 (CEST)
From: Krzysztof Oledzki <ole@xxxxxx>
To: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Cc: Netfilter Developer Mailing List <netfilter-devel@xxxxxxxxxxxxxxx>,
    Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: PATCH: "invalid SYNIN=" - a patch and a question

Hello,

Something is still wrong in this area. With the recent fix there are no more 
"invalid SYNIN=" messages, but with unsuccessful request simulated with 
"echo|nc" next connections are not possible. I included full log & tcpdump for 
the simulation, but I also marked IMHO the most interesting part with "*** 
Here:".

Thank you.

--- cut here ---
sysctl net.ipv4.ip_local_port_range="50000 50003"
sysctl net.netfilter.nf_conntrack_log_invalid=255

while true ; do echo|nc -w 1 wp.pl 80 2>/dev/null >/dev/null; echo -ne "HEAD / 
HTTP/1.0\r\nHost: www.wp.pl\r\n\r\n"|nc -w 2 wp.pl 80 ; sleep 1 ; done
--- cut here ---

<CUT>

wp.pl [212.77.100.101] 80 (http) : Connection timed out
wp.pl [212.77.100.101] 80 (http) : Connection timed out

--- syslog ---
Oct 11 22:36:32 wrestler kernel: nf_ct_tcp: invalid packed ignored IN= OUT= 
SRC=195.177.210.7 DST=212.77.100.101 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27043 
DF PROTO=TCP SPT=50002 DPT=80 SEQ=687369841 ACK=0 WINDOW=5840 RES=0x00 SYN 
URGP=0 OPT (020405B40402080A023107D20000000001030306) UID=0
Oct 11 22:36:32 wrestler kernel: nf_ct_tcp: killing out of sync session IN= 
OUT= SRC=212.77.100.101 DST=195.177.210.7 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=0 
DF PROTO=TCP SPT=80 DPT=50002 SEQ=453422905 ACK=687369842 WINDOW=5792 RES=0x00 
ACK SYN URGP=0 OPT (020405B40402080A6BC6D918023107D201030302)
Oct 11 22:36:37 wrestler kernel: nf_ct_tcp: invalid packed ignored IN= OUT= 
SRC=195.177.210.7 DST=212.77.100.101 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5495 
DF PROTO=TCP SPT=50001 DPT=80 SEQ=1412107783 ACK=0 WINDOW=5840 RES=0x00 SYN 
URGP=0 OPT (020405B40402080A02311B700000000001030306) UID=0
Oct 11 22:36:37 wrestler kernel: nf_ct_tcp: killing out of sync session IN= 
OUT= SRC=212.77.100.101 DST=195.177.210.7 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=0 
DF PROTO=TCP SPT=80 DPT=50001 SEQ=2215777897 ACK=1412107784 WINDOW=5792 
RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0DDF22ED02311B7001030302)
Oct 11 22:36:40 wrestler kernel: nf_ct_tcp: invalid packed ignored IN= OUT= 
SRC=212.77.100.101 DST=195.177.210.7 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF 
PROTO=TCP SPT=80 DPT=50002 SEQ=453422906 ACK=687369842 WINDOW=5792 RES=0x00 ACK 
URGP=0 OPT (0101080A6BC6F873023107D2)

*** Here:
Oct 11 22:36:41 wrestler kernel: nf_ct_tcp: invalid packed ignored IN= OUT= 
SRC=195.177.210.7 DST=212.77.100.101 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39200 
DF PROTO=TCP SPT=50000 DPT=80 SEQ=1115992631 ACK=0 WINDOW=5840 RES=0x00 SYN 
URGP=0 OPT (020405B40402080A02312B170000000001030306) UID=0
Oct 11 22:36:41 wrestler kernel: nf_ct_tcp: killing out of sync session IN= 
OUT= SRC=212.77.100.101 DST=195.177.210.7 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=0 
DF PROTO=TCP SPT=80 DPT=50000 SEQ=9811630 ACK=1115992632 WINDOW=5792 RES=0x00 
ACK SYN URGP=0 OPT (020405B40402080A1DD1B5B002312B1701030302)

--- tcpdump ---
22:36:27.218445 IP (tos 0x0, ttl 64, id 31236, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50002 > 212.77.100.101.80: S, cksum 0x40f4 
(correct), 3779627100:3779627100(0) win 5840 <mss 1460,sackOK,timestamp 
36762200 0,nop,wscale 6>
22:36:27.232643 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50002: S, cksum 0x2b69 (correct), 
2211613225:2211613225(0) ack 3779627101 win 5792 <mss 1460,sackOK,timestamp 
232716755 36762200,nop,wscale 2>
22:36:27.232678 IP (tos 0x0, ttl 64, id 31237, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50002 > 212.77.100.101.80: ., cksum 0x7066 
(correct), ack 2211613226 win 92 <nop,nop,timestamp 36762214 232716755>
22:36:27.232765 IP (tos 0x0, ttl 64, id 31238, offset 0, flags [DF], proto TCP 
(6), length 53) 195.177.210.7.50002 > 212.77.100.101.80: P, cksum 0x665d 
(correct), 3779627101:3779627102(1) ack 2211613226 win 92 <nop,nop,timestamp 
36762214 232716755>
22:36:27.246675 IP (tos 0x0, ttl 57, id 29640, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50002: ., cksum 0x6b0a 
(correct), ack 3779627102 win 1448 <nop,nop,timestamp 232716770 36762214>
22:36:29.232026 IP (tos 0x0, ttl 64, id 31239, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50002 > 212.77.100.101.80: F, cksum 0x6885 
(correct), 3779627102:3779627102(0) ack 2211613226 win 92 <nop,nop,timestamp 
36764214 232716770>
22:36:29.235128 IP (tos 0x0, ttl 64, id 5494, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50000 > 212.77.100.101.80: S, cksum 0x5a95 
(correct), 1490415439:1490415439(0) win 5840 <mss 1460,sackOK,timestamp 
36764217 0,nop,wscale 6>
22:36:29.246360 IP (tos 0x0, ttl 57, id 29642, offset 0, flags [DF], proto TCP 
(6), length 467) 212.77.100.101.80 > 195.177.210.7.50002: P 
2211613226:2211613641(415) ack 3779627103 win 1448 <nop,nop,timestamp 232718770 
36764214>
22:36:29.246398 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 40) 195.177.210.7.50002 > 212.77.100.101.80: R, cksum 0xb429 (correct), 
3779627103:3779627103(0) win 0
22:36:29.249318 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0x72f7 (correct), 
451450258:451450258(0) ack 1490415440 win 5792 <mss 1460,sackOK,timestamp 
1808190335 36764217,nop,wscale 2>
22:36:29.249344 IP (tos 0x0, ttl 64, id 5495, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50000 > 212.77.100.101.80: ., cksum 0xb7f4 
(correct), ack 451450259 win 92 <nop,nop,timestamp 36764231 1808190335>
22:36:29.249443 IP (tos 0x0, ttl 64, id 5496, offset 0, flags [DF], proto TCP 
(6), length 88) 195.177.210.7.50000 > 212.77.100.101.80: P 
1490415440:1490415476(36) ack 451450259 win 92 <nop,nop,timestamp 36764231 
1808190335>
22:36:29.263244 IP (tos 0x0, ttl 57, id 24094, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50000: ., cksum 0xb276 
(correct), ack 1490415476 win 1448 <nop,nop,timestamp 1808190349 36764231>
22:36:29.479692 IP (tos 0x0, ttl 57, id 24096, offset 0, flags [DF], proto TCP 
(6), length 716) 212.77.100.101.80 > 195.177.210.7.50000: P 
451450259:451450923(664) ack 1490415476 win 1448 <nop,nop,timestamp 1808190565 
36764231>
22:36:29.479713 IP (tos 0x0, ttl 64, id 5497, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50000 > 212.77.100.101.80: ., cksum 0xb358 
(correct), ack 451450923 win 112 <nop,nop,timestamp 36764461 1808190565>
22:36:29.694193 IP (tos 0x0, ttl 57, id 24098, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50000: F, cksum 0xad49 
(correct), 451450923:451450923(0) ack 1490415476 win 1448 <nop,nop,timestamp 
1808190779 36764461>
22:36:29.694255 IP (tos 0x0, ttl 64, id 5498, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50000 > 212.77.100.101.80: F, cksum 0xb1a9 
(correct), 1490415476:1490415476(0) ack 451450924 win 112 <nop,nop,timestamp 
36764676 1808190779>
22:36:29.708172 IP (tos 0x0, ttl 57, id 24100, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50000: ., cksum 0xac63 
(correct), ack 1490415477 win 1448 <nop,nop,timestamp 1808190793 36764676>
22:36:30.699067 IP (tos 0x0, ttl 64, id 50929, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50001 > 212.77.100.101.80: S, cksum 0xb365 
(correct), 2962962688:2962962688(0) win 5840 <mss 1460,sackOK,timestamp 
36765681 0,nop,wscale 6>
22:36:30.712621 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50001: S, cksum 0x8dca (correct), 
8944860:8944860(0) ack 2962962689 win 5792 <mss 1460,sackOK,timestamp 500271752 
36765681,nop,wscale 2>
22:36:30.712663 IP (tos 0x0, ttl 64, id 50930, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50001 > 212.77.100.101.80: ., cksum 0xd2c8 
(correct), ack 8944861 win 92 <nop,nop,timestamp 36765694 500271752>
22:36:30.712715 IP (tos 0x0, ttl 64, id 50931, offset 0, flags [DF], proto TCP 
(6), length 53) 195.177.210.7.50001 > 212.77.100.101.80: P, cksum 0xc8bf 
(correct), 2962962689:2962962690(1) ack 8944861 win 92 <nop,nop,timestamp 
36765694 500271752>
22:36:30.726652 IP (tos 0x0, ttl 57, id 63048, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50001: ., cksum 0xcd6d 
(correct), ack 2962962690 win 1448 <nop,nop,timestamp 500271766 36765694>
22:36:32.713026 IP (tos 0x0, ttl 64, id 50932, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50001 > 212.77.100.101.80: F, cksum 0xcae7 
(correct), 2962962690:2962962690(0) ack 8944861 win 92 <nop,nop,timestamp 
36767695 500271766>
22:36:32.716284 IP (tos 0x0, ttl 64, id 27043, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50002 > 212.77.100.101.80: S, cksum 0xfdb5 
(correct), 687369841:687369841(0) win 5840 <mss 1460,sackOK,timestamp 36767698 
0,nop,wscale 6>
22:36:32.727982 IP (tos 0x0, ttl 57, id 63050, offset 0, flags [DF], proto TCP 
(6), length 467) 212.77.100.101.80 > 195.177.210.7.50001: P 
8944861:8945276(415) ack 2962962691 win 1448 <nop,nop,timestamp 500273767 
36767695>
22:36:32.728033 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 40) 195.177.210.7.50001 > 212.77.100.101.80: R, cksum 0x3434 (correct), 
2962962691:2962962691(0) win 0
22:36:32.730494 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50002: S, cksum 0xeeb9 (correct), 
453422905:453422905(0) ack 687369842 win 5792 <mss 1460,sackOK,timestamp 
1808193816 36767698,nop,wscale 2>
22:36:35.720402 IP (tos 0x0, ttl 64, id 18462, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50000 > 212.77.100.101.80: S, cksum 0x5271 
(correct), 3680721808:3680721808(0) win 5840 <mss 1460,sackOK,timestamp 
36770702 0,nop,wscale 6>
22:36:35.734360 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0x1838 (correct), 
2586062097:2586062097(0) ack 3680721809 win 5792 <mss 1460,sackOK,timestamp 
1923088518 36770702,nop,wscale 2>
22:36:35.734406 IP (tos 0x0, ttl 64, id 18463, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50000 > 212.77.100.101.80: ., cksum 0x5d35 
(correct), ack 2586062098 win 92 <nop,nop,timestamp 36770716 1923088518>
22:36:35.734451 IP (tos 0x0, ttl 64, id 18464, offset 0, flags [DF], proto TCP 
(6), length 53) 195.177.210.7.50000 > 212.77.100.101.80: P, cksum 0x532c 
(correct), 3680721809:3680721810(1) ack 2586062098 win 92 <nop,nop,timestamp 
36770716 1923088518>
22:36:35.748134 IP (tos 0x0, ttl 57, id 11654, offset 0, flags [DF], proto TCP 
(6), length 52) 212.77.100.101.80 > 195.177.210.7.50000: ., cksum 0x57da 
(correct), ack 3680721810 win 1448 <nop,nop,timestamp 1923088532 36770716>
22:36:37.298306 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50002: S, cksum 0xdce0 (correct), 
453422905:453422905(0) ack 687369842 win 5792 <mss 1460,sackOK,timestamp 
1808198385 36767698,nop,wscale 2>
22:36:37.735036 IP (tos 0x0, ttl 64, id 18465, offset 0, flags [DF], proto TCP 
(6), length 52) 195.177.210.7.50000 > 212.77.100.101.80: F, cksum 0x5554 
(correct), 3680721810:3680721810(0) ack 2586062098 win 92 <nop,nop,timestamp 
36772717 1923088532>
22:36:37.738312 IP (tos 0x0, ttl 64, id 5495, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50001 > 212.77.100.101.80: S, cksum 0x1f50 
(correct), 1412107783:1412107783(0) win 5840 <mss 1460,sackOK,timestamp 
36772720 0,nop,wscale 6>
22:36:37.750598 IP (tos 0x0, ttl 57, id 11656, offset 0, flags [DF], proto TCP 
(6), length 467) 212.77.100.101.80 > 195.177.210.7.50000: P 
2586062098:2586062513(415) ack 3680721811 win 1448 <nop,nop,timestamp 
1923090534 36772717>
22:36:37.750647 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 40) 195.177.210.7.50000 > 212.77.100.101.80: R, cksum 0xe6dc (correct), 
3680721811:3680721811(0) win 0
22:36:37.752345 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50001: S, cksum 0x542b (correct), 
2215777897:2215777897(0) ack 1412107784 win 5792 <mss 1460,sackOK,timestamp 
232727277 36772720,nop,wscale 2>
22:36:40.742395 IP (tos 0x0, ttl 64, id 34924, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50002 > 212.77.100.101.80: S, cksum 0xbf25 
(correct), 123711296:123711296(0) win 5840 <mss 1460,sackOK,timestamp 36775724 
0,nop,wscale 6>
22:36:40.756251 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 52) 212.77.100.101.80 > 195.177.210.7.50002: ., cksum 0xfe25 (correct), 
ack 687369842 win 5792 <nop,nop,timestamp 1808201843 36767698>
22:36:40.756388 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 40) 195.177.210.7.50002 > 212.77.100.101.80: R, cksum 0x8667 (correct), 
687369842:687369842(0) win 0
22:36:41.176923 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50001: S, cksum 0x46ca (correct), 
2215777897:2215777897(0) ack 1412107784 win 5792 <mss 1460,sackOK,timestamp 
232730702 36772720,nop,wscale 2>

**Here:
22:36:41.745795 IP (tos 0x0, ttl 64, id 39200, offset 0, flags [DF], proto TCP 
(6), length 60) 195.177.210.7.50000 > 212.77.100.101.80: S, cksum 0x7d20 
(correct), 1115992631:1115992631(0) win 5840 <mss 1460,sackOK,timestamp 
36776727 0,nop,wscale 6>
22:36:41.759701 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0xf27d (correct), 
9811630:9811630(0) ack 1115992632 win 5792 <mss 1460,sackOK,timestamp 500282800 
36776727,nop,wscale 2>

22:36:46.087537 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0xe194 (correct), 
9811630:9811630(0) ack 1115992632 win 5792 <mss 1460,sackOK,timestamp 500287129 
36776727,nop,wscale 2>
22:36:47.175467 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50001: S, cksum 0x2f5a (correct), 
2215777897:2215777897(0) ack 1412107784 win 5792 <mss 1460,sackOK,timestamp 
232736702 36772720,nop,wscale 2>
22:36:52.085064 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0xca24 (correct), 
9811630:9811630(0) ack 1115992632 win 5792 <mss 1460,sackOK,timestamp 500293129 
36776727,nop,wscale 2>
22:36:59.174262 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50001: S, cksum 0x0079 (correct), 
2215777897:2215777897(0) ack 1412107784 win 5792 <mss 1460,sackOK,timestamp 
232748703 36772720,nop,wscale 2>
22:37:04.084185 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), 
length 60) 212.77.100.101.80 > 195.177.210.7.50000: S, cksum 0x9b44 (correct), 
9811630:9811630(0) ack 1115992632 win 5792 <mss 1460,sackOK,timestamp 500305129 
36776727,nop,wscale 2>
22:37:13.256208 IP (tos 0x0, ttl 248, id 0, offset 0, flags [none], proto TCP 
(6), length 40) 212.77.100.101.80 > 195.177.210.7.50000: R, cksum 0x1dd4 
(correct), 0:0(0) win 0

Best regards,

				Krzysztof Olędzki