lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210902162612.GA23554@breakpoint.cc>
Date:   Thu, 2 Sep 2021 18:26:12 +0200
From:   Florian Westphal <fw@...len.de>
To:     folkert <folkert@...heusden.com>
Cc:     netdev@...r.kernel.org
Subject: Re: masquerading AFTER first packet

folkert <folkert@...heusden.com> wrote:
> Hi,
> 
> I'm seeing something strange. I'm doing an snmpwalk on an snmp server of
> mine (behing DNAT) , and after the first response it goes into a timeout.
> I did a tcpdump and saw this:
> 
> 1630528031.843264 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(23)  .1.3.6.1
> 1630528031.843924 IP 37.34.63.177.161 > 185.243.112.54.38377: GetResponse(34)  .1.3.6.1.2=0   <-- ok
> 1630528031.846950 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24)  .1.3.6.1.2
> 1630528031.847415 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35)  .1.3.6.1.2.1=0  <-- fail
> 1630528032.847649 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24)  .1.3.6.1.2
> 1630528032.848081 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35)  .1.3.6.1.2.1=0  <-- fail

Looks like a kernel bug, but you did not include kernel version.

Please also show 'ethtool -k' for in and out interfaces.

You might want to try and disable udp releated offload settings to see
if that helps.

e.g.
c3df39ac9b0e3747bf8233ea9ce4ed5ceb3199d3,
"udp: ipv4: manipulate network header of NATed UDP GRO fraglist"
which fixed a bug where only first packet of GRO'd udp train would
have nat applied, (was broken between 5.6 and 5.11)

Other explanation is that conntrack thinks only first packet is valid,
you can check this for example via

sysctl net.netfilter.nf_conntrack_acct=1

and then checking if 'conntrack -L' shows increasing packet/byte
counters or is stuck at '1'.

If the remaining packets are indeed invalid, try setting
sysctl net.netfilter.nf_conntrack_log_invalid=17

(17 == udp).

and see if that shows something relevant.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ