From: Marco Gaiarin <gaio@sv.lnf.it>
To: lartc@vger.kernel.org
Subject: Connection tracking debugging?!
Date: Tue, 25 May 2021 10:36:39 +0000 [thread overview]
Message-ID: <20210525103639.GF3214@sv.lnf.it> (raw)
I've done some changes in a remote site, managed by a linux/netfilter
firewall; mostly i've added more clients, but also changed connectivity
(provider).
After that i've started to catch some little troubles, eg random
disconnection in videoconferencing (Zoom) and in and ICA client. Seems
to me vaguely a 'connection tracking' trouble...
I'v added this rules:
iptables -A std-cleanup -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "C=std-cleanup A=inv L=err "
iptables -A std-cleanup -m conntrack --ctstate INVALID -j DROP
linked to INPUT and FORWARD chain, ed effectively i catch 'invalid'
event:
May 25 11:45:49 prosecco kernel: [789480.844612] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC\x10.10.2.169 DST“.41.169.27 LEN@ TOS=0x00 PREC=0x00 TTL\x127 ID\x16685 DF PROTO=TCP SPTP944 DPTD3 WINDOW=0 RES=0x00 RST URGP=0
May 25 11:45:50 prosecco kernel: [789482.292680] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC\x10.10.2.169 DST“.41.169.27 LEN@ TOS=0x00 PREC=0x00 TTL\x127 ID\x16873 DF PROTO=TCP SPTP940 DPTD3 WINDOW=0 RES=0x00 RST URGP=0
May 25 11:50:00 prosecco kernel: [789732.718655] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC\x10.10.2.169 DST“.41.169.27 LEN@ TOS=0x00 PREC=0x00 TTL\x127 ID0802 DF PROTO=TCP SPTQ274 DPTD3 WINDOW=0 RES=0x00 RST URGP=0
so seems to me that by some way the connection tracking 'loose' the
tracking, and clearly afterward the package get marked invalid, forcing
a reconnection.
Using 'conntrack' helper, lead nothing strange to me, or at least
nothing different from other similar installation that instead works as
expected.
How can i 'debug' this issue? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
next reply other threads:[~2021-05-25 10:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-25 10:36 Marco Gaiarin [this message]
2021-05-25 17:55 ` Connection tracking debugging?! Grant Taylor
2021-06-04 15:23 ` Marco Gaiarin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210525103639.GF3214@sv.lnf.it \
--to=gaio@sv.lnf.it \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.