[OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss

Andre Valentin avalentin at marcant.net
Tue Dec 23 14:11:55 EST 2014


Hi!

I just recompiled the module and loaded it on the router. But it seems that this does not fix the error. 5 minutes later I got several alerts (ping checks).

Kind regards,

André

On 20.12.2014 00:56, Florian Westphal wrote:
> Andre Valentin <avalentin at marcant.net> wrote:
>> If I enable this patch/module, I get strange errors with my OpenWRT based IPsec router. Packets are accepted and then lost, and not encrypted. Only the first comes through, especially if stateless
>> protocolls (udp, icmp) are used.
>> This system used multiple routing tables and rules generated by myself, strongswan and netifd.
>>
>> If interested I can provide a testing ground and help in debugging.
>> Simply unload the module nf_conntrack_rtcache.ko helped immediately and the packet loss disappared.
>
> Untested workaround.
> I'll look into this in more detail over the holidays.
>
> netfilter: rtcache: don't cache dst for skb with active transformer
>
> diff --git a/net/netfilter/nf_conntrack_rtcache.c b/net/netfilter/nf_conntrack_rtcache.c
> --- a/net/netfilter/nf_conntrack_rtcache.c
> +++ b/net/netfilter/nf_conntrack_rtcache.c
> @@ -19,6 +19,7 @@
>  #include <linux/module.h>
>
>  #include <net/dst.h>
> +#include <net/xfrm.h>
>
>  #include <net/netfilter/nf_conntrack.h>
>  #include <net/netfilter/nf_conntrack_core.h>
> @@ -191,6 +192,9 @@ static unsigned int nf_rtcache_forward(const struct nf_hook_ops *ops,
>         struct nf_conn *ct;
>         int iif;
>
> +       if (secpath_exists(skb))
> +               return NF_ACCEPT;
> +
>         ct = nf_ct_get(skb, &ctinfo);
>         if (!ct)
>                 return NF_ACCEPT;
>



Mit freundlichen Grüßen
 André Valentin
Systemadministrator
--
MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld
Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
URL: http://www.marcant.net | http://www.global-m2m.com

Internet * Netzwerk * Mobile Daten
Citrix Silver Solution Advisor

Geschäftsführer: Thorsten Hojas
Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238
___________________________________________________________
Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list