From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marco Gaiarin <gaio@sv.lnf.it>
Date: Tue, 25 May 2021 10:36:39 +0000
Subject: Connection tracking debugging?!
Message-Id: <20210525103639.GF3214@sv.lnf.it>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org


I've done some changes in a remote site, managed by a linux/netfilter
firewall; mostly i've added more clients, but also changed connectivity
(provider).


After that i've started to catch some little troubles, eg random
disconnection in videoconferencing (Zoom) and in and ICA client. Seems
to me vaguely a 'connection tracking' trouble...

I'v added this rules:

 iptables -A std-cleanup -m conntrack --ctstate INVALID -m limit --limit 1/=
sec -j LOG --log-prefix "C=3Dstd-cleanup A=3Dinv L=3Derr "
 iptables -A std-cleanup -m conntrack --ctstate INVALID -j DROP

linked to INPUT and FORWARD chain, ed effectively i catch 'invalid'
event:

 May 25 11:45:49 prosecco kernel: [789480.844612] C=3Dstd-cleanup A=3Dinv L=
=3Derr IN=3Denp0s25 OUT=3Dppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 =
SRC=10.10.2.169 DST=93.41.169.27 LEN@ TOS=3D0x00 PREC=3D0x00 TTL=127 ID=166=
85 DF PROTO=3DTCP SPTP944 DPTD3 WINDOW=3D0 RES=3D0x00 RST URGP=3D0=20
 May 25 11:45:50 prosecco kernel: [789482.292680] C=3Dstd-cleanup A=3Dinv L=
=3Derr IN=3Denp0s25 OUT=3Dppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 =
SRC=10.10.2.169 DST=93.41.169.27 LEN@ TOS=3D0x00 PREC=3D0x00 TTL=127 ID=168=
73 DF PROTO=3DTCP SPTP940 DPTD3 WINDOW=3D0 RES=3D0x00 RST URGP=3D0=20
 May 25 11:50:00 prosecco kernel: [789732.718655] C=3Dstd-cleanup A=3Dinv L=
=3Derr IN=3Denp0s25 OUT=3Dppp0 MACl:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 =
SRC=10.10.2.169 DST=93.41.169.27 LEN@ TOS=3D0x00 PREC=3D0x00 TTL=127 ID0802=
 DF PROTO=3DTCP SPTQ274 DPTD3 WINDOW=3D0 RES=3D0x00 RST URGP=3D0=20

so seems to me that by some way the connection tracking 'loose' the
tracking, and clearly afterward the package get marked invalid, forcing
a reconnection.


Using 'conntrack' helper, lead nothing strange to me, or at least
nothing different from other similar installation that instead works as
expected.


How can i 'debug' this issue? Thanks.

--=20
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.=
it/
  Polo FVG   -   Via della Bont=E0, 7 - 33078   -   San Vito al Tagliamento=
 (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842=
797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)