Ulog/filter device name does not match effective device name of data flow: expected?

Ulog/filter device name does not match effective device name of data flow: expected?

[Fiedler Roman]

Hi,

Just a question, if this is intended behavior in NAT/logging with ulog/filter, I know it should be some border case:


In test environment, all 10/8 IPs are routed via lo by default to avoid test data from 10/8 net leaving the host.

10.0.0.0/8 dev lo  scope link  src 10.0.0.1

To allow some connections to reach machines outside, these connections are natted, e.g.

Iptables -t nat -A OUTPUT -o lo -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.172:80

This allows to create the connection, but with two side effects:

Although the package leaves via eth0, ulog will report OUT=lo:

Jan 10 12:06:13 v3lsn1105 iptables:ACCEPT-INFO IN= OUT=lo MAC= SRC=10.xx.xx.3 DST=xxxx.172 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46425 CE DF PROTO=TCP SPT=48808 DPT=80 SEQ=1237479374 ACK=0 WINDOW=32792 SYN URGP=0

To accept the connection, OUTPUT on lo has to be accepted (using filter rule with -o lo), although package leaves via eth0.

Is this expected behavior?

Kind regards,
Roman

DI Roman Fiedler
Engineer
Safety & Security Department
Information Management & eHealth

AIT Austrian Institute of Technology GmbH
Reininghausstrae 13/1  |  8020 Graz  |  Austria
T +43(0) 50550 2957  |  M +43(0) 664 8561599  |  F +43(0) 50550 2950
roman.fiedler@ait.ac.at | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
This email and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please notify the sender by return e-mail or by telephone and delete this message from your system and any printout thereof. Any unauthorized use, reproduction, or dissemination of this message is strictly prohibited. Please note that e-mails are susceptible to change. AIT Austrian Institute of Technology GmbH shall not be liable for the improper or incomplete transmission of the information contained in this communication, nor shall it be liable for any delay in its receipt.


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Ulog/filter device name does not match effective device name of data flow: expected?

[Pablo Neira Ayuso]

On Tue, Jan 10, 2012 at 02:04:12PM +0100, Fiedler Roman wrote:
> Hi,
> 
> Just a question, if this is intended behavior in NAT/logging with ulog/filter, I know it should be some border case:
> 
> 
> In test environment, all 10/8 IPs are routed via lo by default to avoid test data from 10/8 net leaving the host.
> 
> 10.0.0.0/8 dev lo  scope link  src 10.0.0.1
> 
> To allow some connections to reach machines outside, these connections are natted, e.g.
> 
> Iptables -t nat -A OUTPUT -o lo -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.172:80
> 
> This allows to create the connection, but with two side effects:
> 
> Although the package leaves via eth0, ulog will report OUT=lo:
> 
> Jan 10 12:06:13 v3lsn1105 iptables:ACCEPT-INFO IN= OUT=lo MAC= SRC=10.xx.xx.3 DST=xxxx.172 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46425 CE DF PROTO=TCP SPT=48808 DPT=80 SEQ=1237479374 ACK=0 WINDOW=32792 SYN URGP=0

You forgot to paste your NFLOG rule. Where is it?

AW: Ulog/filter device name does not match effective device name of data flow: expected?

[Fiedler Roman]

> -----Ursprüngliche Nachricht-----
> Von: Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> Gesendet: Donnerstag, 12. Januar 2012 03:47
> An: Fiedler Roman
> Cc: netfilter-devel@vger.kernel.org
> Betreff: Re: Ulog/filter device name does not match effective device name
> of data flow: expected?
> 
> On Tue, Jan 10, 2012 at 02:04:12PM +0100, Fiedler Roman wrote:
> > Hi,
> >
> > Just a question, if this is intended behavior in NAT/logging with ulog/filter, I
> know it should be some border case:
> >
> >
> > In test environment, all 10/8 IPs are routed via lo by default to avoid test
> data from 10/8 net leaving the host.
> >
> > 10.0.0.0/8 dev lo  scope link  src 10.0.0.1
> >
> > To allow some connections to reach machines outside, these connections
> are natted, e.g.
> >
> > Iptables -t nat -A OUTPUT -o lo -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT -
> -to-destination xxx.172:80
> >
> > This allows to create the connection, but with two side effects:
> >
> > Although the package leaves via eth0, ulog will report OUT=lo:
> >
> > Jan 10 12:06:13 v3lsn1105 iptables:ACCEPT-INFO IN= OUT=lo MAC=
> SRC=10.xx.xx.3 DST=xxxx.172 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46425 CE
> DF PROTO=TCP SPT=48808 DPT=80 SEQ=1237479374 ACK=0 WINDOW=32792
> SYN URGP=0
> 
> You forgot to paste your NFLOG rule. Where is it?

Sorry about that:

* Accept and log chain:

Iptables -A ACCEPT-INFO -j ULOG --ulog-prefix "iptables:ACCEPT-INFO" 
Iptables -A ACCEPT-INFO -j ACCEPT

* Accept TCP chain:

Iptables -A ACCEPT-INFO-TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT-INFO

Output rule:

* Iptables -A OUTPUT -s 10.xx.xx.3 -d xxxx.172/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT-INFO-TCP 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Ulog/filter device name does not match effective device name of data flow: expected?

[Pablo Neira Ayuso]

On Thu, Jan 12, 2012 at 09:50:24AM +0100, Fiedler Roman wrote:
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> > Gesendet: Donnerstag, 12. Januar 2012 03:47
> > An: Fiedler Roman
> > Cc: netfilter-devel@vger.kernel.org
> > Betreff: Re: Ulog/filter device name does not match effective device name
> > of data flow: expected?
> > 
> > On Tue, Jan 10, 2012 at 02:04:12PM +0100, Fiedler Roman wrote:
> > > Hi,
> > >
> > > Just a question, if this is intended behavior in NAT/logging with ulog/filter, I
> > know it should be some border case:
> > >
> > >
> > > In test environment, all 10/8 IPs are routed via lo by default to avoid test
> > data from 10/8 net leaving the host.
> > >
> > > 10.0.0.0/8 dev lo  scope link  src 10.0.0.1
> > >
> > > To allow some connections to reach machines outside, these connections
> > are natted, e.g.
> > >
> > > Iptables -t nat -A OUTPUT -o lo -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT -
> > -to-destination xxx.172:80
> > >
> > > This allows to create the connection, but with two side effects:
> > >
> > > Although the package leaves via eth0, ulog will report OUT=lo:
> > >
> > > Jan 10 12:06:13 v3lsn1105 iptables:ACCEPT-INFO IN= OUT=lo MAC=
> > SRC=10.xx.xx.3 DST=xxxx.172 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46425 CE
> > DF PROTO=TCP SPT=48808 DPT=80 SEQ=1237479374 ACK=0 WINDOW=32792
> > SYN URGP=0
> > 
> > You forgot to paste your NFLOG rule. Where is it?
> 
> Sorry about that:
> 
> * Accept and log chain:
> 
> Iptables -A ACCEPT-INFO -j ULOG --ulog-prefix "iptables:ACCEPT-INFO" 
> Iptables -A ACCEPT-INFO -j ACCEPT
> 
> * Accept TCP chain:
> 
> Iptables -A ACCEPT-INFO-TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT-INFO
> 
> Output rule:
> 
> * Iptables -A OUTPUT -s 10.xx.xx.3 -d xxxx.172/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT-INFO-TCP 

The routing happens after OUTPUT. To see the correct output device you have
to add this rule in POSTROUTING.

This is a feature.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html