[Bug 700771] New: dhclient (dhcp) wipes out iptables connmark in firewall when renewing the lease
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c0 Summary: dhclient (dhcp) wipes out iptables connmark in firewall when renewing the lease Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: i586 OS/Version: openSUSE 11.4 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jimc@math.ucla.edu QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.8.131 Version/11.11 I upgraded my router to OpenSuSE 11.4 (kernel 2.6.37.6-0.5-desktop) with dhcp-client-4.2.1-0.7.1.i586 . I use a firewall depending on iptables connmarks: when the initial packet of the connection is acceptable a connmark bit is set (in the nat table for IPv4 and filter table for IPv6), and packets are tossed (in the filter table) if they lack this mark. Starting after the upgrade I found that no IPv4 TCP connection through the box could persist more than an hour, tested to several sites and ports. (IPv6 not tested.) Reproducible: Always Steps to Reproduce: 1. Get on a net where you get DHCP addresses (using dhclient). 2. Install an iptables rule that sets a connmark on a particular IP, port, etc. on the initial packet of a connection. Suggestion, use the SSH port (22). 3. Make a persistent connection that triggers the connmark. Look in /proc/net/nf_conntrack to make sure it's there. 4. Wait for the DHCP lease to be renewed. Actual Results: 5. Look in /proc/net/nf_conntrack -- the connmark is gone, and if (as in my case) it's part of your firewall, your connection is gone too. Expected Results: DHCP lease renewal should not wipe out the conntrack / connmark. I caught it in the act of killing a connection: I was playing streaming audio at the time. Jun 17 15:44:24 jacinth dhclient: DHCPREQUEST on eth1 to 71.104.222.1 port 67 Jun 17 15:44:24 jacinth dhclient: DHCPACK from 71.104.222.1 Jun 17 15:44:28 jacinth ifup: eth1 name: ASIX Electronics SMC2209USB/ETH Jun 17 15:44:31 jacinth dhclient: IP (71.104.222.28) unchanged, skip \ registration #(from my DynDNS registration hook) Jun 17 15:44:31 jacinth dhclient: bound to 71.104.222.28 -- renewal in \ 2845 seconds. And at this exact moment the stream stopped playing. The finger of blame points to the "ifup" step, which I didn't notice before the upgrade. I think dhclient does the DHCP negotiation and assigns the new IP address to the interface. Obviously since the IP has changed, all conntracks through that interface are useless and are tossed. Except the new IP address is identical to the old one. Dealing with details like this is not the job of iptables -- dhclient should be smart enough to leave the interface alone when the negotiated address is the same before and after. That logic is found in /sbin/dhclient-script (Copyright (C) 2010 SUSE...) Indeed, in the BOUND|RENEW|REBIND|REBOOT case, for IPv4 but not IPv6, only if the address has changed, it does "/sbin/ip addr add $new_ip_address..." (For IPv6, which is off topic, it does this unconditionally, see bug 690859.) Then it goes on to do "ifup $interface -o dhcp" unconditionally. I tried making that step conditional on an address change but the TCP connection was still killed. What I want the developers to do: help trace through the turgid logic of dhclient-script and /sbin/ifup, identify the command that is actually causing the conntracks to be cleared, and make it conditional on an actual change in the IP address. An analogous change for IPv6 is probably also needed. If I make any progress on this, I'll post the diff -- losing my connections once an hour really puts a crimp in my style when I'm trying to work from home. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c2 --- Comment #2 from James Carter <jimc@math.ucla.edu> 2011-06-20 17:46:25 UTC --- Created an attachment (id=435492) --> (http://bugzilla.novell.com/attachment.cgi?id=435492) Patch to omit deleting alias IP when main IP doesn't change -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c3 --- Comment #3 from James Carter <jimc@math.ucla.edu> 2011-06-20 17:48:11 UTC --- Created an attachment (id=435493) --> (http://bugzilla.novell.com/attachment.cgi?id=435493) dhclient-script with wrapper to report when connmarks are wiped out -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c4 --- Comment #4 from James Carter <jimc@math.ucla.edu> 2011-06-20 17:54:21 UTC --- I fixed the problem. It turns out that the culprit, that was removing connmarks (actually, removing entire conntracks) was in the RENEW case, "Possible new alias. Remove old alias." /sbin/ip addr del $alias_ip_address/$alias_subnet_mask dev $interface . (Patch attached.) The bug would not be seen unless the user has an alias IP on the interface, which I do (to talk to my ISP's DSL modem). In the patch you probably will want to think carefully about the contingencies, to cover the most use-cases with the most safety. I don't get to see how other users configure their networks, and you do. In particular, the most common event in dhclient-script is to renew the lease with no changes whatsoever, and I'd suggest (but I didn't implement) a conditional to simply bypass the entire section in that case. I've also attached the rattrap script. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c5 Marius Tomaschewski <mt@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #5 from Marius Tomaschewski <mt@novell.com> 2011-06-21 07:32:44 UTC --- Thanks for the report and patch!! I'll reproduce / double check it apply it when I'm back in August. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c6 Jan Engelhardt <jengelh@medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh@medozas.de --- Comment #6 from Jan Engelhardt <jengelh@medozas.de> 2011-08-10 10:06:59 UTC --- However, the removal of addresses or the disablement of links does not normally result in conntrack entries being deleted - unless MASQUERADE is used somewhere. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c7 --- Comment #7 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-08-29 18:00:24 CEST --- This is an autogenerated message for OBS integration: This bug (700771) was mentioned in https://build.opensuse.org/request/show/80087 11.4 / dhcp https://build.opensuse.org/request/show/80088 11.3 / dhcp https://build.opensuse.org/request/show/80093 Factory / dhcp -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c8 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #8 from Marius Tomaschewski <mt@suse.com> 2011-08-30 08:23:27 UTC --- Fixed (applied the patch or adopted version) in packages prepared for next update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-08-30 11:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (700771) was mentioned in https://build.opensuse.org/request/show/80186 11.3 / dhcp https://build.opensuse.org/request/show/80187 11.4 / dhcp -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c11 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:11.3:42935 | |maint:released:11.4:42935 --- Comment #11 from Swamp Workflow Management <swamp@suse.de> 2011-09-07 11:19:22 UTC --- Update released for: dhcp, dhcp-client, dhcp-client-debuginfo, dhcp-debuginfo, dhcp-debugsource, dhcp-devel, dhcp-doc, dhcp-relay, dhcp-relay-debuginfo, dhcp-server, dhcp-server-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c12 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:42935 |maint:released:11.3:42935 |maint:released:11.4:42935 |maint:released:11.4:42935 | |maint:released:sle11-sp1:42 | |929 --- Comment #12 from Swamp Workflow Management <swamp@suse.de> 2011-09-08 01:30:11 UTC --- Update released for: dhcp, dhcp-client, dhcp-debuginfo, dhcp-debugsource, dhcp-devel, dhcp-relay, dhcp-server Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c13 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:42935 |maint:released:11.3:42935 |maint:released:11.4:42935 |maint:released:11.4:42935 |maint:released:sle11-sp1:42 |maint:released:sle11-sp1:42 |929 |929 | |maint:released:sle10-sp4:42 | |930 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> 2011-09-08 01:59:56 UTC --- Update released for: dhcp, dhcp-client, dhcp-debuginfo, dhcp-devel, dhcp-relay, dhcp-server Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c14 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:42935 |maint:released:11.3:42935 |maint:released:11.4:42935 |maint:released:11.4:42935 |maint:released:sle11-sp1:42 |maint:released:sle11-sp1:42 |929 |929 |maint:released:sle10-sp4:42 |maint:released:sle10-sp4:42 |930 |930 | |maint:released:sle10-sp3:42 | |933 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> 2011-09-08 03:21:21 UTC --- Update released for: dhcp, dhcp-client, dhcp-debuginfo, dhcp-devel, dhcp-relay, dhcp-server Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=700771 https://bugzilla.novell.com/show_bug.cgi?id=700771#c15 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:42935 |maint:released:11.3:42935 |maint:released:11.4:42935 |maint:released:11.4:42935 |maint:released:sle11-sp1:42 |maint:released:sle11-sp1:42 |929 |929 |maint:released:sle10-sp4:42 |maint:released:sle10-sp4:42 |930 |930 |maint:released:sle10-sp3:42 |maint:released:sle10-sp3:42 |933 |933 | |maint:released:sles9-sp3-te | |radata:42932 --- Comment #15 from Swamp Workflow Management <swamp@suse.de> 2011-09-08 15:08:48 UTC --- Update released for: dhcp, dhcp-client, dhcp-devel, dhcp-relay, dhcp-server Products: SUSE-CORE 9-SP3-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com