[Bug 464] New: state match sometimes failes RELATED, ESTABLISHED matches

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Mar 23 17:01:34 CET 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464

           Summary: state match sometimes failes RELATED,ESTABLISHED matches
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: unknown
        AssignedTo: laforge at netfilter.org
        ReportedBy: joerg at dorchain.net


I have a fairly complex setup using the filter table combined with a simple nat
table.

Until recently, everything worked well, but (maybe since the current kernel,
sorry for not tracking it more closely) now sometimes my state match fails. This
happens almost reliably when trying to login on a certain webserver via https
where the login-form is on a http page.

As a workaround, I installed a tcp rules matching on SYN flags. Counters on that
rules go up, so it is actually reached.

Here are excerpts from my filter rules (iptables -n -v -L). This fragment is
called from the input and forward chains. Outgoing packets are all allowed.

2     649K  287M RETURN     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
3    32033 2289K RETURN     all  --  !ppp0  *       0.0.0.0/0            0.0.0.0/0
4      162 41323 RETURN     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:!0x17/0x02

Line 4 with the tcp match was inserted recently and was not necessary before.
IMHO the this line should never be reached as a) packets coming in via
interfaces other than ppp0 are allowed and b) packets for existing connections
are allowed.

the nat table looks like this:
Chain PREROUTING (policy ACCEPT 49985 packets, 4356K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 53061 packets, 4356K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    84565 6603K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 137K packets, 11M bytes)
num   pkts bytes target     prot opt in     out     source               destination


This all happens on a Debian testing system, vanilla kernel 2.6.15 (2.6.16 after
next reboot), iptables v1.3.3. Maybe the fact that ppp0 is pppoe and there is a
rule -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu helps

Bye,

Joerg

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list