if nfqnl_test utility (libnetfilter_queue) drops a packet the utility receives the packet again

if nfqnl_test utility (libnetfilter_queue) drops a packet the utility receives the packet again

[Valeri Sytnik]

Hello,

Subject:
if nfqnl_test utility ( libnetfilter_queue project ) drops a packet
the utility receives this packet again (in loop)

I faced a very strange problem when trying to use a code from:

https://git.netfilter.org/libnetfilter_queue/tree/utils/nfqnl_test.c

The problem consists in the following:

If all packets are processed as accepted (NF_ACCEPT),
the utility (nfqnl_test) works good,

But if in the utility line:

return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);

I apply NF_DROP (instead NF_ACCEPT) to some tcp packet which
contains some specific string known to me (say, hhhhh)
that packet comes back to the queue again but with different id.
And that happens in the loop: the packet drops again and comes back
again, and so on.
That is interesting that the packet comes back to the queue with frequency
that becomes slower over time.
Also, the above process seems to block other packets (the queue does
not receives other packets).

More details:
(o) To generate tcp packets communications I use simple
     tcp server (port 1100) and tcp client that can send a packet with
    specific string or a packet without specific string.
(o) To reduce queue traffic I use the following expressions:
    iptables -I OUTPUT -p tcp --dport 1100  -j NFQUEUE  --queue-bypass
 --queue-num 0
    or
    nft insert rule ip filter output ip protocol tcp  tcp dport 1100
counter queue num 0

(o) I tried the platforms: ubuntu 18.04 (kernel 4.15.0)
                           ubuntu 19.04 (kernel 5.0.0)
                           ubuntu 12.04 (kernel 3.2.0)
                           oracle 7.5

All above platforms shows the same behavior with nfqnl_test.
After three weeks of debugging I really need your help.
Thanks.
Valeri

Re: if nfqnl_test utility (libnetfilter_queue) drops a packet the utility receives the packet again

[Florian Westphal]

Valeri Sytnik <valeri.sytnik@gmail.com> wrote:
> I apply NF_DROP (instead NF_ACCEPT) to some tcp packet which
> contains some specific string known to me (say, hhhhh)
> that packet comes back to the queue again but with different id.

Yes, TCP retransmits data that is not received by the peer.

Re: if nfqnl_test utility (libnetfilter_queue) drops a packet the utility receives the packet again

[Valeri Sytnik]

Florian, thanks a lot.
I see that a selected tcp packet can not be dropped at all.
If a selected tcp packet is dropped that blocks passing
of next tcp packets via this tcp connection.
Is there way to bypass that?
Thanks a lot.


On 6/28/19, Florian Westphal <fw@strlen.de> wrote:
> Valeri Sytnik <valeri.sytnik@gmail.com> wrote:
>> I apply NF_DROP (instead NF_ACCEPT) to some tcp packet which
>> contains some specific string known to me (say, hhhhh)
>> that packet comes back to the queue again but with different id.
>
> Yes, TCP retransmits data that is not received by the peer.
>