[OpenWrt-Devel] [RFC] firewall: NAT masquerading race condition
Hans Dedecker
dedeckeh at gmail.com
Thu Feb 12 05:53:31 EST 2015
Hi,
I noticed the selective conntrack flushing in fw3; looking into the
code it only gets active when there's a difference between the cached
IP in the __addr list and the current IP addresses in use.
In this case the selective conntrack flushing is done for the old_addr.
In the error case nf_conntrack displays the following entry :
ipv4 2 icmp 1 9 src=192.168.1.10 dst=192.30.252.131 type=8
code=0 id=8323 packets=6 bytes=504 [UNREPLIED] src=192.30.252.131
dst=192.168.1.10 type=0 code=0 id2
Looking into the netfilter_conntrack_flush patch only the connections
will be flushed which match the passed address; as fw3 is passing an
old cached address when there's a difference the above printed icmp
connection will not be flushed as there's no match or is my assumption
wrong ?
Thx,
Hans
On Wed, Feb 11, 2015 at 8:30 PM, Jo-Philipp Wich <jow at openwrt.org> wrote:
> Hi,
>
> theoretically the selective conntrack flushing of fw3 should take care
> of that. Can you investigate why it is not the case for you?
>
> ~ Jow
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list