[OpenWrt-Devel] [RFC] firewall: NAT masquerading race condition
dedeckeh at gmail.com
Thu Feb 12 05:53:31 EST 2015
I noticed the selective conntrack flushing in fw3; looking into the
code it only gets active when there's a difference between the cached
IP in the __addr list and the current IP addresses in use.
In this case the selective conntrack flushing is done for the old_addr.
In the error case nf_conntrack displays the following entry :
ipv4 2 icmp 1 9 src=192.168.1.10 dst=184.108.40.206 type=8
code=0 id=8323 packets=6 bytes=504 [UNREPLIED] src=220.127.116.11
dst=192.168.1.10 type=0 code=0 id2
Looking into the netfilter_conntrack_flush patch only the connections
will be flushed which match the passed address; as fw3 is passing an
old cached address when there's a difference the above printed icmp
connection will not be flushed as there's no match or is my assumption
On Wed, Feb 11, 2015 at 8:30 PM, Jo-Philipp Wich <jow at openwrt.org> wrote:
> theoretically the selective conntrack flushing of fw3 should take care
> of that. Can you investigate why it is not the case for you?
> ~ Jow
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel