#17690: Iptables conntrack bug -- no mach for --ctstate RELATED,ESTABLISHED rule
---------------------------------+-----------------------------------
Reporter: morfik | Owner: developers
Type: defect | Status: new
Priority: high | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Keywords: iptables, conntrack |
---------------------------------+-----------------------------------
The problem concerns:
BARRIER BREAKER (14.07-rc3, r42056)
CHAOS CALMER (Bleeding Edge, r42273)
at least the two were tested.
This is my router: TP-Link TL-WR1043N/ND v2
When I log via ssh and check the output of the following command:
{{{
iptables -nvL -t filter | grep -i established
}}}
I should get three lines that can show me packet counter of
established,related rule in each main chain -- FORWARD,INPUT,OUTPUT. But
unfortunately the counters point 0, which is weird because the
communication should stop without hitting these rules.
Let's focus just on the FORWARD chain. I deleted the one default rule via:
{{{
iptables -D FORWARD 1
}}}
and as can be expected, the packet forwarding doesn't work anymore. So I
added the two following rules:
{{{
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
iptables -t filter -A FORWARD -i br-lan -s 192.168.1.0/24 -m conntrack
--ctstate NEW -j ACCEPT
}}}
Forwarding works. I downloaded 8MiB file to see if both rules work, but:
{{{
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
10 600 ACCEPT all -- br-lan * 192.168.1.0/24
0.0.0.0/0 ctstate NEW
}}}
There's no match for the first rule. As you can see, there's some packets
in the rule that matches state NEW, but just only few, and 600bytes !=
8MiB.
The next thing I wanted to check was removing the first rule (maybe it's
just a visual bug) and see what happens -- forwarding of packets works
without a problem. That's ... nice. :)
What rule do the packets hit? There's only one in the FORWARD chain, and
most of the packets don't increase that counter. Besides, there's ctstate
NEW only. As you can see, the counter of the FORWARD chain also points 0,
but the packets go through despite the default policy of the FORWARD
chain, which is DROP.
How do the packets go through the filter, and how's that even possible?
--
Ticket URL: <https://dev.openwrt.org/ticket/17690>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
