Re: 2.1.102: ipchains: REJECT does only DENY - network gurus please

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Thomas Bogendoerfer: "kernel profiling in 2.1 ?"
• Previous message: mozgy@zesoi.fer.hr: "sound lowlevel as modules PATCH"
• Next in thread: Andi Kleen: "Re: 2.1.102: ipchains: REJECT does only DENY - network gurus please"
• Reply: Andi Kleen: "Re: 2.1.102: ipchains: REJECT does only DENY - network gurus please"

with the problem of the new firewall code not doing REJECT correctly
I have with the help of Paul Rusty Russell <Paul.Russell@rustcorp.com.au>
now inserted numerous printks.

The sequence is as follows:

ipchains decides to REJECT an input packet
ipfw_input_check returns -1 (FW_REJECT)
call_in_firewall Returns -1 (FW_REJECT)
ip_rcv calls icmp_send
icmp_send returns after the
if (ip_route_output(&rt, iph->saddr, saddr, RT_TOS(tos), 0))
statement.

No icmp message is send.

What does that mean?

Steffen

syslog output:

May 17 13:14:31 zahn vmunix: tcpdump uses obsolete (PF_INET,SOCK_PACKET)
May 17 13:14:31 zahn vmunix: eth0: Setting promiscuous mode.
May 17 13:14:31 zahn vmunix: device eth0 entered promiscuous mode
May 17 13:14:59 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1027 194.64.64.1:53 L=65 S=0x00 I=25088 F=0x0000 T=32
May 17 13:14:59 zahn vmunix: ipfw_input_check: Returning -1
May 17 13:14:59 zahn vmunix: call_in_firewall: Returning -1
May 17 13:14:59 zahn vmunix: in ip_rcv: fwres was -1
May 17 13:14:59 zahn vmunix: in ip_rcv: calling icmp_send now
May 17 13:14:59 zahn vmunix: icmp_send: ip_route_output(&rt, iph->saddr, saddr, RT_TOS(tos), 0)
May 17 13:15:00 zahn /USR/SBIN/CRON[169]: (root) CMD (/usr/sbin/atrun)
May 17 13:15:04 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1027 194.64.64.1:53 L=65 S=0x00 I=25344 F=0x0000 T=32
May 17 13:15:04 zahn vmunix: ipfw_input_check: Returning -1
May 17 13:15:04 zahn vmunix: call_in_firewall: Returning -1
May 17 13:15:04 zahn vmunix: in ip_rcv: fwres was -1
May 17 13:15:04 zahn vmunix: in ip_rcv: calling icmp_send now
May 17 13:15:04 zahn vmunix: icmp_send: ip_route_output(&rt, iph->saddr, saddr, RT_TOS(tos), 0)
May 17 13:15:13 zahn vmunix: eth0: Setting promiscuous mode.
May 17 13:15:13 zahn vmunix: device eth0 left promiscuous mode

tcpdump: listening on eth0
12:14:59.525553 taliesin.1027 > berlin.snafu.de.nameserver: 1+ (37)
12:15:04.525437 taliesin.1027 > berlin.snafu.de.nameserver: 1+ (37)

2 packets received by filter
0 packets dropped by kernel

-- 
home email:  user@domain where domain=berlin.snafu.de, user=zahn
Use of my address for unsolicited commercial advertising is forbidden.
      2^3021377 - 1     |     "Where do you want to crash today?"

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

• Next message: Thomas Bogendoerfer: "kernel profiling in 2.1 ?"
• Previous message: mozgy@zesoi.fer.hr: "sound lowlevel as modules PATCH"
• Next in thread: Andi Kleen: "Re: 2.1.102: ipchains: REJECT does only DENY - network gurus please"
• Reply: Andi Kleen: "Re: 2.1.102: ipchains: REJECT does only DENY - network gurus please"