Re: Incoming packet in wrong chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Tim Ritberg a écrit :
> Hi!
> 
> I got Kernel 2.6.22 und do some Masquerade for my Windows boxes.
> 
> My problem get visible in this rule:
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> 113 87963 DROP_LOG 0 --  ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
> 
> This rule is at bottom of my INPUT-Chain.
> 
> Kernel says:
> DROP: IN=ppp0 OUT= MAC= SRC=217.13.68.183 DST=91.xx.xx.xx LEN=58 TOS=0x00 PREC=0x00 TTL=59 ID=55058 DF PROTO=TCP SPT=80 DPT=2409 WINDOW=14520 RES=0x00 ACK URGP=0
> 
> This ACK packet belongs to surfing WWW and should never get into INPUT-Chain. The problem occurs randomly.
> Is this a bug? A why hit a rule for SYN packets at ACK packets?

For Netfilter connection tracking, a NEW TCP connection does not have to
start with a SYN packet. If
/proc/sys/net/netfilter/nf_conntrack_tcp_loose is set to 1 (default),
Netfilter will try to pick up connection. By this mean, it is possible
to recover a connection (in some fail-over case for example), but it
introduces this looking-weird-at-first behaviour.

BR,
- --
Eric Leblond <eleblond@xxxxxx>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/
EdenWall: http://www.edenwall.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJj05dnxA7CdMWjzIRAk2BAJ4p7uOUzgNsTrOrGbg2sVTYEa8bjwCeLowc
tJssXCPP3rJk/isR9cnynvg=
=hb1D
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux