On Fri, Nov 19, 2010 at 5:58 PM, Ulrich Weber <uweber@xxxxxxxxxx> wrote: > Hi, > > glibc 2.9 implement parallel IPv4/IPv6 DNS lookup. This caused lots of > trouble > in all kind of implementations, so all major Linux distributions removed > _nss_dns_gethostbyname4_r in their glibc version, except for Debian Squeeze, > see also "options single-request" for more information. > > Normally parallel DNS lookups works fine, first packet is received and > forwarded, so conntrack is confirmed before second packet is received. > > However in combination with NFQUEUE, the second DNS requests is > received while the first one is still in the queue and both DNS requests > have an unconfirmed conntrack. So the second one will be dropped > in nf_conntrack_confirm, which results in an DNS timeout and retransmit. > > Can be reproduced with: adnshost yahoo.com google.com > > My first idea was to re-lookup the conntrack in nf_conntrack_confirm, > but at that time the seconds request was already NATed. So I moved > that code to nf_nat_fn(). Of course this only works if nat is loaded... > > Any comments or ideas, how to address this problem? It seems that you queue packets in the middle of conntrack. Beside NFQUEUE, IMQ may causes the same problem. I think you'd better queue packets before conntrack, raw table? Or lookup the conntrack again after packets are reinjected. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
