Modify

Opened 9 years ago

Closed 9 years ago

Last modified 4 years ago

#5041 closed defect (fixed)

iptables 1.4.3.2 broken in kamikaze

Reported by: anonymous Owned by: nbd
Priority: highest Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: Cc:

Description

If you do a simple rule like:
iptables -t mangle -A PREROUTING -p udp -m state --state NEW -j LOG you can see tcp packets are also being logged. If you do the same rule for tcp , you will see udp packets being logged.
So -p tcp or -p udp will mark both packets protocol. This breaks every mark in qos scripts and will make the firewall unpredictable at certain level.

Attachments (1)

ticket-5041.patch (4.0 KB) - added by nico 9 years ago.
Possible fix

Download all attachments as: .zip

Change History (10)

comment:1 Changed 9 years ago by colchaodemola@…

well , let put wome way to reproduce this:

iptables -F -t mangle [make sure that is no other rule here]
iptables -t mangle -A PREROUTING -p udp -m state --state NEW -j LOG

now do:

logread -f |grep -i tcp

and downlaod something

{{{ wget http://mirrors.uol.com.br/pub/suse/distribution/11.0/iso/cd/openSUSE-11.0-NET-i386.iso -O /dev/null
eg:
}}}

as you can see , the tcp packet generated by wget is being logged for a rule that should only log udp packets.

comment:2 Changed 9 years ago by anonymous

i am on revision:


KAMIKAZE (bleeding edge, r15554)


root@OpenWrt:~# iptables -V


iptables v1.4.3.2


root@OpenWrt:~# uname -a


Linux OpenWrt 2.6.28.9 #6 Sat May 2 16:29:01 BRT 2009 mips unknown

comment:3 Changed 9 years ago by anonymous

target = broadcom 2.6

comment:4 Changed 9 years ago by grulli

I send taht (as talked on IRC).

I can reproduce the exact behaviour on revision 15533 on a Wl500gPremiumV1

root@OpenWrt:~# uname -a Linux OpenWrt 2.6.28.9 #2 Fri May 1 17:19:34 CEST 2009 mips unknown root@OpenWrt:~# iptables -V iptables v1.4.3.2 root@OpenWrt:~# logread -f |grep -i tcp Feb 6 19:42:21 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=200.221.9.36 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14339 DF PROTO=TCP SPT=42686 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 6 19:42:41 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=85.13.134.214 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50052 DF PROTO=TCP SPT=49135 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 6 19:42:51 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=85.13.134.214 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23628 DF PROTO=TCP SPT=49136 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 6 19:42:51 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=74.125.43.121 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32383 DF PROTO=TCP SPT=34137 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

comment:5 Changed 9 years ago by nico

Confirmed on UML with r15562

comment:6 Changed 9 years ago by grulli

sorry for the bad bugreport above...

as said: on revision 15533 on a Wl500gPremiumV1

root@OpenWrt:~# uname -a
Linux OpenWrt 2.6.28.9 #2 Fri May 1 17:19:34 CEST 2009 mips unknown
root@OpenWrt:~# iptables -V
iptables v1.4.3.2
root@OpenWrt:~# logread -f |grep -i tcp
Feb  6 20:51:34 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=192.168.64.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47538 DF PROTO=TCP SPT=60010 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb  6 20:51:35 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=192.168.64.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51458 DF PROTO=TCP SPT=60011 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb  6 20:51:36 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=192.168.64.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9763 DF PROTO=TCP SPT=60012 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb  6 20:51:37 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=192.168.64.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19480 DF PROTO=TCP SPT=60013 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb  6 20:51:38 OpenWrt user.warn kernel: IN=br-lan OUT= PHYSIN=eth0.0 MAC=00:1a:92:5a:a0:66:00:18:f3:9f:d5:4c:08:00 SRC=192.168.64.145 DST=192.168.64.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38015 DF PROTO=TCP SPT=60014 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

comment:7 Changed 9 years ago by nico

  • Component changed from packages to kernel
  • Owner changed from developers to nbd
  • Version set to Trunk

Found it: removing the following patches seems to fix the problem:

./target/linux/generic-2.6/patches-2.6.28/110-netfilter_match_speedup.patch
./target/linux/generic-2.6/patches-2.6.29/110-netfilter_match_speedup.patch
./target/linux/generic-2.6/patches-2.6.30/110-netfilter_match_speedup.patch

Changed 9 years ago by nico

Possible fix

comment:8 Changed 9 years ago by nico

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [15574], thanks!

comment:9 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.