* Why SYN-ACK packets are dropped as INVALID? @ 2015-03-26 8:41 Spenst, Aleksej 2015-03-26 12:53 ` Neal Murphy 0 siblings, 1 reply; 6+ messages in thread From: Spenst, Aleksej @ 2015-03-26 8:41 UTC (permalink / raw) To: netfilter Hi All, I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK packets coming from the server in response are sometimes dropped by my firewall (iptables) as INVALID. I can’t figure out why the firewall sees these packets invalid. They seem to be Ok. What parameters are taken into account by the firewall when making a decision about invalidity of a packet? Example from tcpdump: 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1 The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables logs that this SYN-ACK packet is marked as INVALID and dropped. When the SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the states are also OK. Why is this packet invalid then? Thank you! Aleksej. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why SYN-ACK packets are dropped as INVALID? 2015-03-26 8:41 Why SYN-ACK packets are dropped as INVALID? Spenst, Aleksej @ 2015-03-26 12:53 ` Neal Murphy 2015-03-26 13:25 ` AW: " Spenst, Aleksej 0 siblings, 1 reply; 6+ messages in thread From: Neal Murphy @ 2015-03-26 12:53 UTC (permalink / raw) To: netfilter On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK > packets coming from the server in response are sometimes dropped by my > firewall (iptables) as INVALID. I can’t figure out why the firewall sees > these packets invalid. They seem to be Ok. What parameters are taken into > account by the firewall when making a decision about invalidity of a > packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables > logs that this SYN-ACK packet is marked as INVALID and dropped. When the > SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the > states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. ^ permalink raw reply [flat|nested] 6+ messages in thread
* AW: Why SYN-ACK packets are dropped as INVALID? 2015-03-26 12:53 ` Neal Murphy @ 2015-03-26 13:25 ` Spenst, Aleksej 2015-03-26 13:27 ` Joel Gerber 0 siblings, 1 reply; 6+ messages in thread From: Spenst, Aleksej @ 2015-03-26 13:25 UTC (permalink / raw) To: neal.p.murphy, netfilter Hi Neal, Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes). Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? Thank you, Aleksej. -----Ursprüngliche Nachricht----- Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy Gesendet: Donnerstag, 26. März 2015 13:53 An: netfilter@vger.kernel.org Betreff: Re: Why SYN-ACK packets are dropped as INVALID? On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the > SYN-ACK packets coming from the server in response are sometimes > dropped by my firewall (iptables) as INVALID. I can’t figure out why > the firewall sees these packets invalid. They seem to be Ok. What > parameters are taken into account by the firewall when making a > decision about invalidity of a packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 > SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my > iptables logs that this SYN-ACK packet is marked as INVALID and > dropped. When the SYN-ACK packet comes the TCP session is in the state > SYN_SENT -> So, the states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Why SYN-ACK packets are dropped as INVALID? 2015-03-26 13:25 ` AW: " Spenst, Aleksej @ 2015-03-26 13:27 ` Joel Gerber 2015-03-26 16:14 ` AW: " Spenst, Aleksej 0 siblings, 1 reply; 6+ messages in thread From: Joel Gerber @ 2015-03-26 13:27 UTC (permalink / raw) To: Spenst, Aleksej, neal.p.murphy; +Cc: netfilter The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK. Joel Gerber Network Operations Specialist - Telephone Telephone Eastlink Joel.Gerber@corp.eastlink.ca T: 519.786.1241 -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej Sent: March-26-15 9:25 AM To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org Subject: AW: Why SYN-ACK packets are dropped as INVALID? Hi Neal, Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes). Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? Thank you, Aleksej. -----Ursprüngliche Nachricht----- Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy Gesendet: Donnerstag, 26. März 2015 13:53 An: netfilter@vger.kernel.org Betreff: Re: Why SYN-ACK packets are dropped as INVALID? On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the > SYN-ACK packets coming from the server in response are sometimes > dropped by my firewall (iptables) as INVALID. I can’t figure out why > the firewall sees these packets invalid. They seem to be Ok. What > parameters are taken into account by the firewall when making a > decision about invalidity of a packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 > SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my > iptables logs that this SYN-ACK packet is marked as INVALID and > dropped. When the SYN-ACK packet comes the TCP session is in the state > SYN_SENT -> So, the states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html N r y b X ǧv ^ ){.n + z {ay \x1dʇڙ ,j f h z \x1e w j:+v w j m zZ+ ݢj" ! i ^ permalink raw reply [flat|nested] 6+ messages in thread
* AW: Why SYN-ACK packets are dropped as INVALID? 2015-03-26 13:27 ` Joel Gerber @ 2015-03-26 16:14 ` Spenst, Aleksej 2015-03-26 19:09 ` Joel Gerber 0 siblings, 1 reply; 6+ messages in thread From: Spenst, Aleksej @ 2015-03-26 16:14 UTC (permalink / raw) To: netfilter, Joel Gerber, neal.p.murphy Thank you. So, the ACK number is correct. Why is then the packet invalid? -----Ursprüngliche Nachricht----- Von: Joel Gerber [mailto:Joel.Gerber@corp.eastlink.ca] Gesendet: Donnerstag, 26. März 2015 14:28 An: Spenst, Aleksej; neal.p.murphy@alum.wpi.edu Cc: netfilter@vger.kernel.org Betreff: RE: Why SYN-ACK packets are dropped as INVALID? The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK. Joel Gerber Network Operations Specialist - Telephone Telephone Eastlink Joel.Gerber@corp.eastlink.ca T: 519.786.1241 -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej Sent: March-26-15 9:25 AM To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org Subject: AW: Why SYN-ACK packets are dropped as INVALID? Hi Neal, Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes). Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? Thank you, Aleksej. -----Ursprüngliche Nachricht----- Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy Gesendet: Donnerstag, 26. März 2015 13:53 An: netfilter@vger.kernel.org Betreff: Re: Why SYN-ACK packets are dropped as INVALID? On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the > SYN-ACK packets coming from the server in response are sometimes > dropped by my firewall (iptables) as INVALID. I can’t figure out why > the firewall sees these packets invalid. They seem to be Ok. What > parameters are taken into account by the firewall when making a > decision about invalidity of a packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 > SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my > iptables logs that this SYN-ACK packet is marked as INVALID and > dropped. When the SYN-ACK packet comes the TCP session is in the state > SYN_SENT -> So, the states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html N r y b X ǧv ^ ){.n + z {ay \x1dʇڙ ,j f h z \x1e w j:+v w j m zZ+ ݢj" ! i ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Why SYN-ACK packets are dropped as INVALID? 2015-03-26 16:14 ` AW: " Spenst, Aleksej @ 2015-03-26 19:09 ` Joel Gerber 0 siblings, 0 replies; 6+ messages in thread From: Joel Gerber @ 2015-03-26 19:09 UTC (permalink / raw) To: Spenst, Aleksej; +Cc: netfilter I would probably have to see a packet capture (tcpdump/tshark/dumpcap) starting from the initial SYN to the "invalid" segment to give much more help. Joel Gerber Network Operations Specialist - Telephone Telephone Eastlink Joel.Gerber@corp.eastlink.ca T: 519.786.1241 -----Original Message----- From: Spenst, Aleksej [mailto:Aleksej.Spenst@harman.com] Sent: March-26-15 12:15 PM To: netfilter@vger.kernel.org; Joel Gerber; neal.p.murphy@alum.wpi.edu Subject: AW: Why SYN-ACK packets are dropped as INVALID? Thank you. So, the ACK number is correct. Why is then the packet invalid? -----Ursprüngliche Nachricht----- Von: Joel Gerber [mailto:Joel.Gerber@corp.eastlink.ca] Gesendet: Donnerstag, 26. März 2015 14:28 An: Spenst, Aleksej; neal.p.murphy@alum.wpi.edu Cc: netfilter@vger.kernel.org Betreff: RE: Why SYN-ACK packets are dropped as INVALID? The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK. Joel Gerber Network Operations Specialist - Telephone Telephone Eastlink Joel.Gerber@corp.eastlink.ca T: 519.786.1241 -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej Sent: March-26-15 9:25 AM To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org Subject: AW: Why SYN-ACK packets are dropped as INVALID? Hi Neal, Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes). Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? Thank you, Aleksej. -----Ursprüngliche Nachricht----- Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy Gesendet: Donnerstag, 26. März 2015 13:53 An: netfilter@vger.kernel.org Betreff: Re: Why SYN-ACK packets are dropped as INVALID? On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the > SYN-ACK packets coming from the server in response are sometimes > dropped by my firewall (iptables) as INVALID. I can’t figure out why > the firewall sees these packets invalid. They seem to be Ok. What > parameters are taken into account by the firewall when making a > decision about invalidity of a packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 > SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my > iptables logs that this SYN-ACK packet is marked as INVALID and > dropped. When the SYN-ACK packet comes the TCP session is in the state > SYN_SENT -> So, the states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html N r y b X ǧv ^ ){.n + z {ay \x1dʇڙ ,j f h z \x1e w j:+v w j m zZ+ ݢj" ! i ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-03-26 19:09 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-03-26 8:41 Why SYN-ACK packets are dropped as INVALID? Spenst, Aleksej 2015-03-26 12:53 ` Neal Murphy 2015-03-26 13:25 ` AW: " Spenst, Aleksej 2015-03-26 13:27 ` Joel Gerber 2015-03-26 16:14 ` AW: " Spenst, Aleksej 2015-03-26 19:09 ` Joel Gerber
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.