Re: [BUG] SNAT sometimes allows packets to pass through unchanged

From: Patrick McHardy
Date: Mon Feb 16 2009 - 05:43:43 EST


Alan Stern wrote:
On Thu, 12 Feb 2009, Patrick McHardy wrote:

If the connection has already timed out (from conntracks perspective),
it has lost its state. Unless connection pickup is enabled, the packet will be marked as INVALID because it doesn't belong to a connection.
You can control dropping of these packets yourself by adding the
appropriate "-m state --state INVALID" rules.

I tried adding a rule to log these unaccounted-for packets. Nothing showed up, even when I could see the packets being sent.

Where (table/chain/position) did you add this rule?

That said, there were
some bugs in the past few releases that caused some bad interaction
between TCP and TCP conntrack (not sure anymore which one of both was
to blame). Its possible that this is the root cause for this, so
you might want to consider a kernel update.

It does sound like the result of a bug. Do you have any pointers to patches or locations to check in the source?

Sorry, there were quite a few patches and I don't remember which
ones exactly are related.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/