The strange Packets Duplicated bug

From: valerio balbi
Date: Tue Mar 11 2008 - 20:15:36 EST


linux-net@xxxxxxxxxxxxxxx netfilter@xxxxxxxxxxxxxxx


Hi ML!

Sometime time ago, an idea began knocking into my mind.
Precisly I want to build a box, linux based of course, to implement a
sort of "private virtual firewall".
I build a very nice "mini-itx" box with 6 network eth real device.

Before going straight forward, I tested my box for a checkpoint.
But in this checkpoint I found a annoying error.
I titled this error

"The strange Packets Duplicated bug"

Crime Scene
-----------------------
I ) | | | | | | -------
N ( +-----------+ eth2 -+ +- eth4 +-----| | |
T ) | | | | | |-----+ |
E ( | | br0 br1 | | | |
R ) | | | | | |
N ( | | ipTables | [B] -------
E ) | | kernel 2.6.18 |
T ( [A] -----------------------

I introduced the kernel bridge to split the packet traffic into
several virtual tun
(one for each virtual device).
Now let me show You the bug.
A client located into network B is trying to download a considerable
dimention file like
the kernel vanilla, after a time the transfer is frozen then
connection is resetted.
In my box the iptables filtering and source-natting rules refer
bridges interface.


C.S.I
It's time to deep dig so I instrument a trace with wireshark both in
network A and
in network B and I realize that in network B there are a lot of
retransmissions...
(already changed hubs and cables)

In particular:
1 SYN packet from client to br1 seen in B
2 SYN packet from br0 (NAT-ed) towards Internet seen in A
3 SYNACK packet from Internet towards br0 seen in A
4 SYNACK packet from Internet to client coming from br1 seen in B
5 SYNACK packet from Internet to client coming from br1 seen in B

Packet5 leads me to think a bug, IMHO packet5 should not exist at all!
Anyway the only difference between packet4 and packet5 is TTL value:
TTL(packet5)=TTL(packet4)+1
I suppose this duplication shall produce a flood and the box would
perform the kill action of the download session.

Causes
I'm thinking to some trouble in sundance driver, used for D-Link
DFE-580TX (haven't seen interesting issues in ML)
Or some misconfiguration in /proc/sys/net/ipv4/conf/br*/*.
Or a design limit of the kernel virtual bridge (stp disabled).

In which point I'm in error?
Thank's in advance

pvb265
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html