View Issue Details

IDProjectCategoryView StatusLast Update
0005048CentOS-6CentOS-6-Pluspublic2011-08-21 23:39
Reportertgarons 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Product Version6.0 
Target VersionFixed in Version 
Summary0005048: UDP packets sent to IP alias cause filter change
Description With the following interfaces configured on eth1:
eth1 Link encap:Ethernet HWaddr 00:14:D1:26:FD:55
          inet addr:192.168.0.31 Bcast:192.168.0.255 Mask:255.255.255.0
          inet6 addr: fe80::214:d1ff:fe26:fd55/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1:0 Link encap:Ethernet HWaddr 00:14:D1:26:FD:55
          inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:16 Base address:0xef00

eth1:1 Link encap:Ethernet HWaddr 00:14:D1:26:FD:55
          inet addr:192.168.0248 Bcast:192.168.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:16 Base address:0xef00

openvpn was bound to 2190/udp:
 netstat -anp|grep 2190
udp 0 0 0.0.0.0:2190 0.0.0.0:* 13705/openvpn

An openvpn connection to 2190/udp on an aliased interface (eth1:1 192.168.0.248) resulted in the response packet being returned from udp/1024 and all subsequent traffic between openvpn server and client occurred on udp/1024 as observed by tcpdump on both ends of the connection.

Nothing was bound to udp/1024 on the server and any packets sent directly to udp/1024 either from the local host or an outside system resulted in an ICMP destination unreachable.

Changing the interface config so that eth1 was 192.168.0.248 and eth3:1 was 192.168.0.31 fixed the problem—the port was not remapped to 1024 and all openvpn communication occured over udp/2190.
Additional Information/proc/net/nf_conntrack:

With eth1 address 192.68.0.31 and eth1:1 192.178.0.248

ipv4 2 udp 17 130 src=192.168.0.31 dst=MY_IP sport=2190 dport=42987 src=173.172.110.216 dst=MY_IP sport=42987 dport=1024 [ASSURED] mark=0 secmark=0 use=2

With eth1 address 192.168.0.248:

ipv4 2 udp 17 179 src=192.168.0.248 dst=MY_IP sport=2190 dport=42987 src=MY_IP dst=192.168.0.248 sport=42987 dport=2190 [ASSURED] mark=0 secmark=0 use=2
TagsNo tags attached.

Activities

tgarons

tgarons

2011-08-21 23:39

reporter   ~0013142

Should add that this behavior occurred with iptables completely flushed as verified by iptables -L -n -v for all tables.

Issue History

Date Modified Username Field Change
2011-08-21 21:01 tgarons New Issue
2011-08-21 23:39 tgarons Note Added: 0013142