* NAT-PMP connections not tracked with nf_conntrack
@ 2010-10-13 14:27 Mr Dash Four
2010-10-16 15:50 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-10-13 14:27 UTC (permalink / raw)
To: netfilter
I have configured a personal vpn with NAT-PMP (which extends from my
local to the remote vpn endpoints), but that connection does not appear
to be tracked by the nf_conntrack. I see the connection made in netstat,
but not in nf_conntrack. Is that a bug or is there any other way I can
track this connection?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-10-13 14:27 NAT-PMP connections not tracked with nf_conntrack Mr Dash Four
@ 2010-10-16 15:50 ` Jan Engelhardt
2010-10-16 16:35 ` Mr Dash Four
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-10-16 15:50 UTC (permalink / raw)
To: Mr Dash Four; +Cc: netfilter
On Wednesday 2010-10-13 16:27, Mr Dash Four wrote:
>I have configured a personal vpn with NAT-PMP (which extends from my
>local to the remote vpn endpoints), but that connection does not appear
>to be tracked by the nf_conntrack.
Are you using any NOTRACK rules?
>I see the connection made in netstat, but not in nf_conntrack. Is that
>a bug or is there any other way I can track this connection?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-10-16 15:50 ` Jan Engelhardt
@ 2010-10-16 16:35 ` Mr Dash Four
2010-10-16 17:49 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-10-16 16:35 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
>> I have configured a personal vpn with NAT-PMP (which extends from my
>> local to the remote vpn endpoints), but that connection does not appear
>> to be tracked by the nf_conntrack.
>>
>
> Are you using any NOTRACK rules?
>
Not that I am aware of (I use Shorewall). How do I check that?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-10-16 16:35 ` Mr Dash Four
@ 2010-10-16 17:49 ` Jan Engelhardt
2010-10-16 18:04 ` Mr Dash Four
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-10-16 17:49 UTC (permalink / raw)
To: Mr Dash Four; +Cc: netfilter
On Saturday 2010-10-16 18:35, Mr Dash Four wrote:
>
>>> I have configured a personal vpn with NAT-PMP (which extends from my local to
>>> the remote vpn endpoints), but that connection does not appear to be tracked
>>> by the nf_conntrack.
>>>
>>
>> Are you using any NOTRACK rules?
>>
> Not that I am aware of (I use Shorewall). How do I check that?
>
ip6tables-save, or its respective v4 part.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-10-16 17:49 ` Jan Engelhardt
@ 2010-10-16 18:04 ` Mr Dash Four
2010-11-14 10:41 ` Mr Dash Four
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-10-16 18:04 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
> ip6tables-save, or its respective v4 part.
>
iptables-save | grep NOTRACK returns nothing, so I assume that I am not
using this.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-10-16 18:04 ` Mr Dash Four
@ 2010-11-14 10:41 ` Mr Dash Four
2010-11-15 13:58 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-11-14 10:41 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
>
>> ip6tables-save, or its respective v4 part.
>>
> iptables-save | grep NOTRACK returns nothing, so I assume that I am
> not using this.
Any ideas? The connection is definitely not tracked and could be seen
with netstat from local to the remote point on the VPN.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-11-14 10:41 ` Mr Dash Four
@ 2010-11-15 13:58 ` Jan Engelhardt
2010-11-15 21:50 ` Mr Dash Four
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-11-15 13:58 UTC (permalink / raw)
To: Mr Dash Four; +Cc: netfilter
On Sunday 2010-11-14 11:41, Mr Dash Four wrote:
>>
>>> ip6tables-save, or its respective v4 part.
>>>
>> iptables-save | grep NOTRACK returns nothing, so I assume that I am not using
>> this.
>
> Any ideas? The connection is definitely not tracked and could be seen with
> netstat from local to the remote point on the VPN.
No idea. If I were to look at the system directly maybe.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-11-15 13:58 ` Jan Engelhardt
@ 2010-11-15 21:50 ` Mr Dash Four
2010-11-15 21:59 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-11-15 21:50 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
>> Any ideas? The connection is definitely not tracked and could be seen with
>> netstat from local to the remote point on the VPN.
>>
>
> No idea. If I were to look at the system directly maybe.
>
If I can help you with providing some more info I would - just let me
know, but the connection is definitely there and is definitely not
tracked. When I execute 'netstat --inet -an' I get it listed, like:
udp 0 0 10.1.1.2:51602
10.1.1.1:5351 ESTABLISHED
This is not showing with "cat /proc/net/nf_conntrack | grep 5351" or
"cat /proc/net/nf_conntrack | grep 51602"
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT-PMP connections not tracked with nf_conntrack
2010-11-15 21:50 ` Mr Dash Four
@ 2010-11-15 21:59 ` Jan Engelhardt
0 siblings, 0 replies; 9+ messages in thread
From: Jan Engelhardt @ 2010-11-15 21:59 UTC (permalink / raw)
To: Mr Dash Four; +Cc: netfilter
On Monday 2010-11-15 22:50, Mr Dash Four wrote:
>
>>> Any ideas? The connection is definitely not tracked and could be seen with
>>> netstat from local to the remote point on the VPN.
>>>
>>
>> No idea. If I were to look at the system directly maybe.
>>
> If I can help you with providing some more info I would - just let me know, but
> the connection is definitely there and is definitely not tracked. When I
> execute 'netstat --inet -an' I get it listed, like:
> udp 0 0 10.1.1.2:51602 10.1.1.1:5351
> ESTABLISHED
>
> This is not showing with "cat /proc/net/nf_conntrack | grep 5351" or "cat
> /proc/net/nf_conntrack | grep 51602"
Well yes you said that already. BTW, netstat is obsolete, use ss.
The cat is also not necessary (Useless use of cat), just use grep,
but alas, the conntrack the utility is a better solution.
The first thing I'd probably do is add a -p udp --dport 5351 -j LOGMARK
(xtables-addons) target rule in the mangle table to check for the ct
status. After that, it's pretty much kernel code debugging in
nf_conntrack_proto_udp.c, doing a spatial bisect for where the ct
gets (not) created.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2010-11-15 21:59 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-13 14:27 NAT-PMP connections not tracked with nf_conntrack Mr Dash Four
2010-10-16 15:50 ` Jan Engelhardt
2010-10-16 16:35 ` Mr Dash Four
2010-10-16 17:49 ` Jan Engelhardt
2010-10-16 18:04 ` Mr Dash Four
2010-11-14 10:41 ` Mr Dash Four
2010-11-15 13:58 ` Jan Engelhardt
2010-11-15 21:50 ` Mr Dash Four
2010-11-15 21:59 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.