[CentOS] Netfilter conntrack problem...

Maciej Żenczykowski

maze at cela.pl
Tue Jan 17 20:08:30 UTC 2006


Hi folks,

I have the following in my firewall (condensed version)
[CentOS 4.2: 2.6.9-11.EL.i686 kernel]:

INPUT:
--state ESTABLISHED,RELATED -j ACCEPT
-p tcp -j REJECT --reject-with tcp-reset
-j REJECT

OUTPUT: ACCEPT

The connection is over a wireless link so packets _do_ get dropped even 
though throughput is around 100-400 kB/s (depending on 
atmospheric conditions, etc.)

Now I've noticed that sometimes connections are broken, I've narrowed the 
problem down to _this_ firewall (as in it's not the only one, but I'm 
pretty sure that it's at fault here...)

Tcpdumping a "ssh somewhere cat /dev/zero > /dev/null" session on the 
firewall to an external host (a few hops away, reliable links, except for 
the single wireless link) on a prematurely terminated connection reveals 
the following (near the very end):

# tcpdump -i eth1 host $TARGET -n -nn
SRC=$FIREWALL:38945
DST=$TARGET:22
(all stream counts (acks) where 1728xxxxx so 1728 has been replaced with 
nil to gain on readability...)

034006 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026606 
838569311,nop,nop,sack sack 3 {11403:12851}{07059:09955}
068320 IP DST > SRC: . 12851:14299(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569322 603026606>
068421 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026641 
838569311,nop,nop,sack sack 3 {11403:14299}{07059:09955}
101781 IP DST > SRC: P 14299:15747(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569325 603026641>
101879 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026674 
838569311,nop,nop,sack sack 2 {11403:18643}{07059:09955}
133870 IP DST > SRC: . 18643:20091(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569328 603026674>
133969 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026706 
838569311,nop,nop,sack sack 2 {11403:20091}{07059:09955}
164262 IP DST > SRC: . 20091:21539(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569332 603026706>
164358 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026737 
838569311,nop,nop,sack sack 2 {11403:21539}{07059:09955}
198287 IP DST > SRC: . 21539:22987(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569335 603026737>
198386 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026771 
838569311,nop,nop,sack sack 2 {11403:22987}{07059:09955}
230168 IP DST > SRC: . 22987:24435(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569338 603026771>
230285 IP SRC > DST: . ack 05611 win 23688 <nop,nop,timestamp 603026803 
838569311,nop,nop,sack sack 2 {11403:24435}{07059:09955}
252786 IP DST > SRC: . 05611:07059(1448) ack 85975 win 8576 
<nop,nop,timestamp 838569340 603026771>
252857 IP SRC > DST: R 1475625677:1475625677(0) win 0


As far as I can tell, the second to last packet is perfectly valid - it is 
a valid retransmit of a missing/dropped piece.  For some reason it results 
in a reset being sent from the tcp-reset rule (counter increases).  Thus 
it would seem the packet is not matching the ESTABLISHED rule.  Any ideas?

Is this a bug?  Has this been fixed in a/the newer kernel (I've got 156 
days of uptime and a lot of junk on the box so I don't really want to 
reset it... :( )

Is the firewall configuration above correct - ie. is that a valid spot to 
generate TCP Resets?  I doubt DROP'ing the packets will help since it'll 
just cause a stall, with future retransmits not getting through due to not 
matching as ESTABLISHED anyway...

Cheers,
MaZe.




More information about the CentOS mailing list