Bug#446343: cutter: does not work at all
Hi,
Chris Davies wrote:
Aurélien GÉRÔME wrote:
Thanks to this bug, cutter got blindly removed from testing, and I
still _cannot_ reproduce it. It would ne nice to get some recipe to
reproduce it, if we ever want it to be released with Lenny.
I've added some debug to the program, and it seems to me that it
simply cannot work. Either that or I'm grossly misunderstanding what
it does.
I suspect that this program is just made for NAT routers and does not
work in any other environment like bridges or end points. Cc'ing
upstream. Maybe he can help here. (Here = http://bugs.debian.org/446343)
The attached patch applies my debug code to the debian cutter
[...]
Thanks for that one, this indeed helped to get a little bit further.
Looking at the code around 540, there are a number of condition
criteria that check for local/remote IP address (I guess that
local means a local interface for the box on which cutter is
running).
If you have a connection from A to C, via B, then neither of the
address pairs are going to be local, so neither of the two if()
statements can succeed.
Indeed. At that point there seem quite some cases missing. For
outgoing endpoints and bridges (as commonly found on Xen Dom0s) I had
to add the following two cases:
/* Outbound connection from private network device */
else if (localip(src1n) !localip(dst1n)
!localip(src2n) localip(dst2n)) {
puts(Outbound connection from private network device);
found ++;
printf(For connection %s:%d - %s:%d\n, dst2,
dport2, src2, sport2);
ok = send_rst(dst1,dport1,src1,sport1) ok;
ok = send_rst(dst2,dport2,src2,sport2) ok;
}
/* Connection going through */
else if (!localip(src1n) !localip(dst1n)
!localip(src2n) !localip(dst2n)) {
puts(Connection going through);
found ++;
printf(For connection %s:%d - %s:%d\n, dst2,
dport2, src2, sport2);
ok = send_rst(dst1,dport1,src1,sport1) ok;
ok = send_rst(dst2,dport2,src2,sport2) ok;
}
Nevertheless, this wasn't everything to make it work. In both cases I
got the message Cant find next hop gateway in routing table once or
twice.
The code where you have to start if you want to fix this is likely
around line 312 and then around line 130.
While the if-case in line 129 seems logical for me, the flags variable
always contains 0 despite it contains non-zero values in
/proc/net/route. If I comment out line 132 ((flags 0x0001) //
route is UP), it seems to select the right route, but I always end up
with the message ACK not seen so RST not sent (sorry!).
So I suspect there's more fishy than I found out so far. :-(
Regards, Axel
--
,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#446343: cutter: does not work at all
Hi again,
Axel Beckert wrote:
While the if-case in line 129 seems logical for me, the flags variable
always contains 0 despite it contains non-zero values in
/proc/net/route. If I comment out line 132 ((flags 0x0001) //
route is UP), it seems to select the right route, but I always end up
with the message ACK not seen so RST not sent (sorry!).
I've risen the amount of time to wait for an ACK to 80 seconds and now
it seems to always work on the bridging computer and sometimes work on
the end point computer. Now I can at least debug the reconnect feature
of my IRC bot.
Attached the patch with which I came that far. It's though very likely
not yet complete to solve all the related issues. (Hence no tag
patch.)
Regards, Axel
--
,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
diff -u cutter-1.03/cutter.c cutter-1.03/cutter.c
--- cutter-1.03/cutter.c
+++ cutter-1.03/cutter.c
@@ -128,7 +128,7 @@
mask = mask;
if (
iface[0] != '*' // not a
rejected interface
- (flags 0x0001) // route is UP
+ //(flags 0x0001)// route is UP
(flags 0x0200) == 0 // not a
reject
(ip mask) == dest_ip // IP match
) {
@@ -375,7 +375,7 @@
tstart = time(0);
- for ( ; time(0) tstart + 15; ) { // give the peer 15 seconds to
respond
+ for ( ; time(0) tstart + 80; ) { // give the peer 80 seconds to
respond
struct sockaddr_ll gotaddr;
unsigned int addrlen = sizeof(gotaddr);
fd_set readfds;
@@ -534,6 +534,26 @@
found ++;
printf(For connection %s:%d - %s:%d\n, dst2,
dport2, src2, sport2);
ok = send_rst(dst1,dport1,src1,sport1) ok;
+ ok = send_rst(dst2,dport2,src2,sport2) ok;
+ }
+
+ /* Outbound connection from private network device */
+
+ else if (localip(src1n) !localip(dst1n)
!localip(src2n) localip(dst2n)) {
+puts(Outbound connection from private network device);
+ found ++;
+ printf(For connection %s:%d - %s:%d\n, dst2,
dport2, src2, sport2);
+ ok = send_rst(dst1,dport1,src1,sport1) ok;
+ ok = send_rst(dst2,dport2,src2,sport2) ok;
+ }
+
+ /* Connection going through */
+
+ else if (!localip(src1n) !localip(dst1n)
!localip(src2n) !localip(dst2n)) {
+puts(Connection going through);
+ found ++;
+ printf(For connection %s:%d - %s:%d\n, dst2,
dport2, src2, sport2);
+ ok = send_rst(dst1,dport1,src1,sport1) ok;
ok = send_rst(dst2,dport2,src2,sport2) ok;
}
}
diff -u cutter-1.03/debian/changelog cutter-1.03/debian/changelog
--- cutter-1.03/debian/changelog
+++ cutter-1.03/debian/changelog
@@ -1,3 +1,9 @@
+cutter (1.03-2.1~test1) unstable; urgency=low
+
+ * Test patch for #446343
+
+ -- Axel Beckert a...@debian.org Thu, 27 Dec 2012 00:24:43 +0100
+
cutter (1.03-2) unstable; urgency=low
* Adopt the package (Closes: #316195).
Bug#446343: cutter: does not work at all
Aurélien GÉRÔME wrote: Thanks for you detailed analysis. I will try to reproduce your exact setup this week-end. Have you had time to look at this, yet? I would be interested in you describing a setup that I can try to reproduce here, as I cannot get cutter to work for me at all. With regard to my throwaway comment of Feb 14 that, I would imagine a patch will be pretty straightforward, are you planning to do this or should I have a stab at it? Regards, Chris
Bug#446343: cutter: does not work at all
tags 446343 - moreinfo unreproducible thanks Hi, On Sat, Mar 08, 2008 at 09:37:20AM +, Chris Davies wrote: Have you had time to look at this, yet? I would be interested in you describing a setup that I can try to reproduce here, as I cannot get cutter to work for me at all. No, I had not. I need to organise several boxes in the same network topology as yours to reproduce your setup, but I currently do not have physical access to such boxes. I thought about a setup with several qemu instances though, but this is really tedious. Perhaps I can hook up some free Ultra5 boxes at work to reproduce your setup, I will try it this month. I am currently working on the PS3 integration in Debian, so this probably will not happen this upcoming week. :) With regard to my throwaway comment of Feb 14 that, I would imagine a patch will be pretty straightforward, are you planning to do this or should I have a stab at it? If you can fix what happens in your setup which I believe is a right use case, I will gratefully accept your patch. I will test it to see if it does not break my simple daily-use setup, and then do an upload to fix this bug. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Hi, Thanks for you detailed analysis. I will try to reproduce your exact setup this week-end. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Aurélien GÉRÔME wrote:
Thanks to this bug, cutter got blindly removed from testing, and I
still _cannot_ reproduce it. It would ne nice to get some recipe to
reproduce it, if we ever want it to be released with Lenny.
I've added some debug to the program, and it seems to me that it simply cannot
work. Either that or I'm grossly misunderstanding what it does.
The attached patch applies my debug code to the debian cutter version 1.03-2.
Apologies for the code quality; I haven't written any C for a good number of
years, now, and it was thrown together in a hurry.
To reproduce the situation where it doesn't work for me, you need three
systems: A (10.1.20.42 /16) and C (192.168.130.252 /21) are connected via B
(10.1.1.106 /16 and 192.168.133.13 /21). There's no NAT involved. On A, ssh to
C. Log in to B and you'll see an entry in /proc/net/ip_conntrack matching the
connection.
I picked it out with this ugly line:
sudo grep 'tcp.*ESTABLISHED' /proc/net/ip_conntrack | grep '10.1.20.42' | grep
'192.168.*252' | grep 'port=22 '
Now run the patched version of cutter and you'll see something like this:
Args: /tmp/cutter 192.168.130.252 22 10.1.20.42
...
Got tcp/ESTABLISHED
src=10.1.20.42
dst=192.168.130.252
sport=36707
dport=22
src=192.168.130.252
dst=10.1.20.42
sport=22
dport=36707
Matched IP and port
localip(src1n=10.1.20.42)=0, localip(dst1n=192.168.130.252)=0,
localip(src2n=192.168.130.252)=0, localip(dst2n=10.1.20.42)=0
Got tcp/ESTABLISHED
...
Looking at the code around 540, there are a number of condition criteria that
check for local/remote IP address (I guess that local means a local
interface for the box on which cutter is running).
If you have a connection from A to C, via B, then neither of the address pairs
are going to be local, so neither of the two if() statements can succeed.
I haven't had time to dig further (maybe tomorrow), but I would imagine a
patch will be pretty straightforward.
Regards,
Chris
--- cutter.c.2008-02-14 2008-02-14 11:24:45.0 +
+++ cutter.c 2008-02-14 11:52:41.0 +
@@ -494,7 +494,18 @@
continue;
p = buff;
-
+puts(Got tcp/ESTABLISHED);
+{
+char item[32]; char *i = buff;
+if (get_str_field(i, src=, item, sizeof(item))) printf( src=%s\n, item); else puts( no src);
+if (get_str_field(i, dst=, item, sizeof(item))) printf( dst=%s\n, item); else puts( no dst);
+if (get_str_field(i, sport=, item, sizeof(item))) printf( sport=%s\n, item); else puts( no sport);
+if (get_str_field(i, dport=, item, sizeof(item))) printf( dport=%s\n, item); else puts( no dport);
+if (get_str_field(i, src=, item, sizeof(item))) printf( src=%s\n, item); else puts( no src);
+if (get_str_field(i, dst=, item, sizeof(item))) printf( dst=%s\n, item); else puts( no dst);
+if (get_str_field(i, sport=, item, sizeof(item))) printf( sport=%s\n, item); else puts( no sport);
+if (get_str_field(i, dport=, item, sizeof(item))) printf( dport=%s\n, item); else puts( no dport);
+}
if (
!get_str_field(p, src=, src1, sizeof(src1)) ||
!get_str_field(p, dst=, dst1, sizeof(dst1)) ||
@@ -504,7 +515,7 @@
!get_str_field(p, dst=, dst2, sizeof(dst2)) ||
!get_int_field(p, sport=, sport2) ||
!get_int_field(p, dport=, dport2)
- ) continue;
+ ) { puts(Not got all required fields; continuing); continue; }
src1n = inet_addr(src1);
src2n = inet_addr(src2);
@@ -517,11 +528,13 @@
(match(ip1,port1,src1n,sport1) match(ip2,port2,dst1n,dport1)) ||
(match(ip1,port1,dst1n,dport1) match(ip2,port2,src1n,sport1))
) {
+puts(Matched IP and port);
+printf ( localip(src1n=%s)=%d, localip(dst1n=%s)=%d, localip(src2n=%s)=%d, localip(dst2n=%s)=%d\n, src1, localip(src1n), dst1, localip(dst1n), src2, localip(src2n), dst2, localip(dst2n));
/*
* local network to public network - forwarded connection
*/
-
if (!localip(src1n) !localip(dst1n) !localip(src2n) localip(dst2n)) {
+puts(Local network to public network - forwarded connection);
found ++;
printf(For connection %s:%d - %s:%d\n, src1, sport1, dst1, dport1);
ok = send_rst(dst1,dport1,src1,sport1) ok;
@@ -531,6 +544,7 @@
/* Inbound connection forwarded to private network device */
else if (!localip(src1n) localip(dst1n) !localip(src2n) !localip(dst2n)) {
+puts(Inbound connection forwarded to private network device);
found ++;
printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2);
ok = send_rst(dst1,dport1,src1,sport1) ok;
@@ -564,6 +578,7 @@
exit(EXIT_FAILURE);
}
+{ int i; printf(Args:); for (i=0; iargc; i++) { printf( %s, argv[i]); } putchar('\n'); }
getifconfig();
if (scan_conntrack(ip1, port1, ip2, port2))
return EXIT_SUCCESS;
Bug#446343: cutter: does not work at all
On Mon, Feb 11, 2008 at 10:10:18AM +0100, Aurélien GÉRÔME wrote: Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. ^ cutter, I meant -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Hi, On Thu, Dec 06, 2007 at 09:26:43AM +, Chris Davies wrote: On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example [...] Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? I have just reconfirmed that it still does not work for me. (This is running it as root.). I have cutter package 1.03-2 installed from testing, and kernels 2.6.18 (custom build) and 2.6.22-3-686 (debian). I've checked cutter on a transit firewall and also on an end-point. It does not work for me in either situation (No matching connections found). Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example [...] Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? I have just reconfirmed that it still does not work for me. (This is running it as root.). I have cutter package 1.03-2 installed from testing, and kernels 2.6.18 (custom build) and 2.6.22-3-686 (debian). I've checked cutter on a transit firewall and also on an end-point. It does not work for me in either situation (No matching connections found). Regards, Chris
Bug#446343: cutter: does not work at all
Hi, On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example: netstat -an | grep 'ESTABLISHED' tcp0 0 192.168.130.5:38101 10.1.30.129:22 ESTABLISHED tcp0 0 192.168.130.5:38819 10.1.30.129:993ESTABLISHED cutter 192.168.130.5 38101 10.1.30.129 22 No matching connections found cutter 192.168.130.5 38101 10.1.30.129 No matching connections found cutter 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 No matching connections found cutter 10.1.30.129 22 No matching connections found I am not able to reproduce it. Does cutter still behave like this if you try it now? Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Free Software Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
On Sun, Dec 02, 2007 at 02:02:44PM +0100, Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? Also, did you run it as root? Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Free Software Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Package: cutter Version: 1.03-2 Severity: grave Justification: renders package unusable Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example: netstat -an | grep 'ESTABLISHED' tcp0 0 192.168.130.5:38101 10.1.30.129:22 ESTABLISHED tcp0 0 192.168.130.5:38819 10.1.30.129:993ESTABLISHED cutter 192.168.130.5 38101 10.1.30.129 22 No matching connections found cutter 192.168.130.5 38101 10.1.30.129 No matching connections found cutter 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 No matching connections found cutter 10.1.30.129 22 No matching connections found Regards, Chris -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (300, 'unstable'), (50, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.21-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages cutter depends on: ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries cutter recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
