Bug #1229
connmark module, wrong rule deleted
Description
When two clients behind same NAT connect with connmark module active, two similar rules with different marks are inserted into iptables.
When the first client disconnects, the second client will loose connectivity because the first rule in the chain (last inserted) will be deleted instead of the correct client rule.
This happens because rules are very similar and have to be matched across all fields to find correct rule.
A sample patch to fix the issue is attached. Tested on OpenWRT.
History
#1 Updated by Tobias Brunner over 9 years ago
- Tracker changed from Issue to Bug
- Category set to libcharon
- Status changed from New to Feedback
- Assignee set to Tobias Brunner
- Target version set to 5.4.0
- Resolution set to Fixed
I can't really reproduce the issue in the ikev2/host2host-transport-connmark scenario (different kernels from 3.8.1 to 4.4.3 and iptables-dev 1.4.14-3.1). I can terminate either CHILD_SA and the correct firewall rules are removed.
I haven't found much information regarding the matchmask parameter for iptc_delete_entry() so I had a look at the libiptc sources and we should definitely set it to an array that is at least as long as the passed entry because data after the passed matchmask pointer is actually dereferenced. Whether that works or triggers this issue (or a crash) probably depends on the compiler and the data after the static string that was passed so far. I pushed a slightly modified patch to the 1229-1230-connmark-fixes branch.
#2 Updated by Tobias Brunner over 9 years ago
- Status changed from Feedback to Closed