l7 -> drop & ip_conntrack entries

Jason Opperisano opie at 817west.com
Sun Sep 12 00:15:50 CEST 2004

On Sat, 2004-09-11 at 08:02, Moritz Gartenmeister wrote:
> Why are there still connections tracked, although i drop the packets
> with iptables in prerouting mangle?
> iptables recognizes this connections as bittorrent, why are they not
> droped? Why do they get a ASSURED and ESTABLISHED connection?
> And BTW: does this mean, that there is actually bittorrent traffic?
> And i rebooted my system, checked the /proc/net/ip_conntrack (didn't
> exist), set up the bridge, set up iptables, pluged in the ethernetcables.
> thanks for some light...
> moritz

this really depends on the internals of l7filter, and what "DROP" means
to it.  if you think about what's going on--the behavior you're
observing makes sense:

client sends SYN to server:bittorrent_port
  -> firewall accepts this packet
server sends SYN-ACK
  -> firewall accepts this packet
client sends ACK
  -> firewall accepts this packet

at this point you have a fully-established (assured) TCP connection--so
it gets entered into ip_conntrack.

now client and server exchange some data packets, one of which triggers
your l7filter module match, so that packet gets dropped...which will
effectively break/block the client and server's ability to communicate;
however--unless l7filter goes in and removes the conntrack entry (which
i *highly* doubt that it does)--the conntrack entry will be left to hang
around until it times out.

this (amongst other reasons) is why i prefer to use a true app-level
gateway to scrub this stuff out.


Jason Opperisano <opie at 817west.com>

More information about the netfilter mailing list