Re: [OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss
On 23-12-14 22:59, Stijn Tintel wrote: On 23-12-14 20:11, Andre Valentin wrote: Hi! I just recompiled the module and loaded it on the router. But it seems that this does not fix the error. 5 minutes later I got several alerts (ping checks). The workaround below seems to work for me. How did you apply this patch to the OpenWrt code After updating the other end of the IPsec tunnel, it turns out that the workaround doesn't entirely fix the problem. box1 owrt1 = owrt2 box2 strongSwan IPsec (tunnel mode) Initially I only had the nf_conntrack_rtcache module on owrt2. That caused problems like snmpwalk from box1 to box2 hanging after a single line of output. With the workaround applied, I did no longer see the problem. I could snmpwalk, ping and SSH from box1 to box2 fine. When I later updated owrt1 to also have the nf_conntrack_module (+workaround), the problems were back. This time, snmpwalk from box1 to box2 hangs after two lines of output. Kind regards, Stijn ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss
On 23-12-14 20:11, Andre Valentin wrote: Hi! I just recompiled the module and loaded it on the router. But it seems that this does not fix the error. 5 minutes later I got several alerts (ping checks). The workaround below seems to work for me. How did you apply this patch to the OpenWrt code Untested workaround. I'll look into this in more detail over the holidays. netfilter: rtcache: don't cache dst for skb with active transformer diff --git a/net/netfilter/nf_conntrack_rtcache.c b/net/netfilter/nf_conntrack_rtcache.c --- a/net/netfilter/nf_conntrack_rtcache.c +++ b/net/netfilter/nf_conntrack_rtcache.c @@ -19,6 +19,7 @@ #include linux/module.h #include net/dst.h +#include net/xfrm.h #include net/netfilter/nf_conntrack.h #include net/netfilter/nf_conntrack_core.h @@ -191,6 +192,9 @@ static unsigned int nf_rtcache_forward(const struct nf_hook_ops *ops, struct nf_conn *ct; int iif; + if (secpath_exists(skb)) + return NF_ACCEPT; + ct = nf_ct_get(skb, ctinfo); if (!ct) return NF_ACCEPT; Kind regards, Stijn ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss
On 20-12-14 00:04, Andre Valentin wrote: Hi! If I enable this patch/module, I get strange errors with my OpenWRT based IPsec router. Packets are accepted and then lost, and not encrypted. Only the first comes through, especially if stateless protocolls (udp, icmp) are used. I noticed this as well, both with 3.14 kernel + backported patch, and with 3.18 kernel + patch. Reporting it to netfilter-devel and netdev lists is still on my todo list. Feel free to beat me to it Kind regards, Stijn ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss
Hi! If I enable this patch/module, I get strange errors with my OpenWRT based IPsec router. Packets are accepted and then lost, and not encrypted. Only the first comes through, especially if stateless protocolls (udp, icmp) are used. This system used multiple routing tables and rules generated by myself, strongswan and netifd. If interested I can provide a testing ground and help in debugging. Simply unload the module nf_conntrack_rtcache.ko helped immediately and the packet loss disappared. With kind regards, André Mit freundlichen Grüßen André Valentin Systemadministrator -- MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18 URL: http://www.marcant.net | http://www.global-m2m.com Internet * Netzwerk * Mobile Daten Citrix Silver Solution Advisor Geschäftsführer: Thorsten Hojas Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238 ___ Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung. Sie können natürlich auch gerne jederzeit unter supp...@marcant.net ein Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
