Bug#293065: shorewall: Checks for invalid packages despite dropunclean not set; breaks assymetric routing

[Lorenzo Martignoni]

* Brian May <[EMAIL PROTECTED]>: 
> Package: shorewall
> Version: 2.0.7-1
> Severity: important
> 
> Hello,
> 
> We route outgoing packets for several satellite connections.
> 
> After a big set of upgrades (including kernel version) today, these 
> asymmetric connections stopped
> working.
> 
> I found the culprit:
> 
> Chain FORWARD (policy DROP 62 packets, 3392 bytes)
>  pkts bytes target     prot opt in     out     source
>  destination
> 45  2557 DROP      !icmp --  *      *       0.0.0.0/0 0.0.0.0/0 state INVALID
> [...]
> 
> This rule is the very first one listed for FORWARD, and the second one
> for INPUT and OUTPUT (the first one is lo specific).
> 
> On one hand I suspect this use to work, and with recent kernel
> versions (2.6.9+) the meaning of INVALID has become more strict.
> 
> One the other hand, I haven't set dropunclean for any of the interfaces,
> and checking the value this early would seem to render LOGUNCLEAN
> invalid, as any unclean packets have already been dropped before it
> gets this far.
> 
> I have already changed the newnotsyn file/rule to cope with my
> asymmetric routing needs, but this isn't used until after the packets
> are already dropped.

Hello,

I got in touch with the upstream author. A solution is proposed in the new
upstream release. Quoting from the changelog:

         Recent 2.6 kernels include code that evaluates TCP packets based on
    TCP Window analysis. This can cause packets that were previously   
    classified as NEW or ESTABLISHED to be classified as INVALID.   
                                                                 
    The new kernel code can be disabled by including this command in
    your /etc/shorewall/init file:                                  
                                  
    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
                                                                     
    Additional kernel logging about INVALID TCP packets may be       
    obtained by adding this command to /etc/shorewall/init:   
                                                           
    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
                                                                  
    Traditionally, Shorewall has dropped INVALID TCP packets early. The
    new DROPINVALID option allows INVALID packets to be passed through 
    the normal rules chains by setting DROPINVALID=No.                
                                                      
    If not specified or if specified as empty (e.g., DROPINVALID="")
    then DROPINVALID=Yes is assumed.                                

The new package will be ready soon.

-- lorenzo


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]