[Bug 968] New: CONNMARK failing open silently?

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Aug 7 23:09:23 CEST 2014 

https://bugzilla.netfilter.org/show_bug.cgi?id=968

           Summary: CONNMARK failing open silently?
           Product: netfilter/iptables
           Version: unspecified
          Platform: x86_64
        OS/Version: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nf_conntrack
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: hazael+netfilter at google.com
   Estimated Hours: 0.0


Repeatedly connmarking the same flow seems to cause that flow not to get
matched at times:

iptables -Z OUTPUT
(wait some time)
iptables -L OUTPUT -nv
Chain OUTPUT (policy ACCEPT 4780 packets, 494K bytes)
 pkts bytes target     prot opt in     out     source               destination 
 6664  658K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         CONNMARK set 0x1
 5367  547K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         connmark match  0x1
    2    92 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         LOG flags 0 level 4

The resulting 2 log lines:
[13975.853660] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00
TTL=64 ID=58972 DF PROTO=TCP SPT=59106 DPT=53116 WINDOW=350 RES=0x00 ACK FIN
URGP=0 
[13975.853707] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=20857 DF PROTO=TCP SPT=53116 DPT=59106 WINDOW=0 RES=0x00 RST URGP=0 

This doesn't just happen to localhost, I just happened to only get localhost
entries in this attempt.

According to conntrack -L:
conntrack v1.0.0 (conntrack-tools): 439 flow entries have been shown.

My completely uneducated guess is that some conntrack queue is spilling over
without indication.

While this is definitely a poor example (using plain MARKs or accepting
established traffic prior works fine) I still feel this is a bug... repeatedly
marking the same set of traffic shouldn't randomly unmark packets (or at the
very least it should complain loudly about it.)

Tested on a 3.13 kernel, iptables version v1.4.12

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list