Re: Something weird

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/01/08 09:51, Marcio Veloso Antunes wrote:

I found out what is happening, it is exactly what you've said.


*nod*
The reason this occurs is related to conntrack, the specific route is getting up after the first packet leaves the internal network (via VPN interface, without masquerade), then when the specific route enters, the connection has been established already. 

That will do it.
Even when the interface changes from TUN0 to PPP0 the connection persists and the packets keep NOT being re-verified. 

'k
I don't know if it can be considered a Bug, but it seems to me an odd situation as the interface have changed, other networks will be crossed, i think the rules should be re-validated, don't you ?
I don't know if it is a bug per say or not. I would guess it has to do with whether or not the connection tracking code in kernel is aware of interface / network / route state changes or not. If it is unaware of state changes then it is not possible for connection tracking to know that something is amiss. If it is aware of state change then I would think that it should trap for this and handle it more gracefully than it did, thus a possible bug. But seeing as how I don't get that deep in to kernel I can't say one way or the other. 


root@fw:/proc/net# grep 172.18.0.13 ip_conntrack
udp 17 2809 src=172.18.0.13 dst=200.198.184.204 sport=5060 dport=5060 packets=977 bytes=537937 src=200.198.184.204 dst=172.18.0.13 sport=5060 dport=5060 packets=30 bytes=16384 [ASSURED] mark=0 use=1
Would it be possible to DROP the traffic before the VPN comes up such that the connection would never be successfully established and then allow the traffic once the VPN is up? Hopefully this would allow connection tracking to track the traffic on the proper interface. Also, make sure you use a DROP not a REJECT as you don't want to return an error the the client application(s) thus causing them to give up rather than timing out and re-trying like they would if the traffic was just DROPed and lost in the ether. 


Thanks for your help,
If you consider a direction to look with out an answer help, you are welcome. ;) 



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux