Bug#446343: cutter: does not work at all
Hi, Chris Davies wrote: Aurélien GÉRÔME wrote: Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. I've added some debug to the program, and it seems to me that it simply cannot work. Either that or I'm grossly misunderstanding what it does. I suspect that this program is just made for NAT routers and does not work in any other environment like bridges or end points. Cc'ing upstream. Maybe he can help here. (Here = http://bugs.debian.org/446343) The attached patch applies my debug code to the debian cutter [...] Thanks for that one, this indeed helped to get a little bit further. Looking at the code around 540, there are a number of condition criteria that check for local/remote IP address (I guess that local means a local interface for the box on which cutter is running). If you have a connection from A to C, via B, then neither of the address pairs are going to be local, so neither of the two if() statements can succeed. Indeed. At that point there seem quite some cases missing. For outgoing endpoints and bridges (as commonly found on Xen Dom0s) I had to add the following two cases: /* Outbound connection from private network device */ else if (localip(src1n) !localip(dst1n) !localip(src2n) localip(dst2n)) { puts(Outbound connection from private network device); found ++; printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); ok = send_rst(dst1,dport1,src1,sport1) ok; ok = send_rst(dst2,dport2,src2,sport2) ok; } /* Connection going through */ else if (!localip(src1n) !localip(dst1n) !localip(src2n) !localip(dst2n)) { puts(Connection going through); found ++; printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); ok = send_rst(dst1,dport1,src1,sport1) ok; ok = send_rst(dst2,dport2,src2,sport2) ok; } Nevertheless, this wasn't everything to make it work. In both cases I got the message Cant find next hop gateway in routing table once or twice. The code where you have to start if you want to fix this is likely around line 312 and then around line 130. While the if-case in line 129 seems logical for me, the flags variable always contains 0 despite it contains non-zero values in /proc/net/route. If I comment out line 132 ((flags 0x0001) // route is UP), it seems to select the right route, but I always end up with the message ACK not seen so RST not sent (sorry!). So I suspect there's more fishy than I found out so far. :-( Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#446343: cutter: does not work at all
Hi again, Axel Beckert wrote: While the if-case in line 129 seems logical for me, the flags variable always contains 0 despite it contains non-zero values in /proc/net/route. If I comment out line 132 ((flags 0x0001) // route is UP), it seems to select the right route, but I always end up with the message ACK not seen so RST not sent (sorry!). I've risen the amount of time to wait for an ACK to 80 seconds and now it seems to always work on the bridging computer and sometimes work on the end point computer. Now I can at least debug the reconnect feature of my IRC bot. Attached the patch with which I came that far. It's though very likely not yet complete to solve all the related issues. (Hence no tag patch.) Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 diff -u cutter-1.03/cutter.c cutter-1.03/cutter.c --- cutter-1.03/cutter.c +++ cutter-1.03/cutter.c @@ -128,7 +128,7 @@ mask = mask; if ( iface[0] != '*' // not a rejected interface - (flags 0x0001) // route is UP + //(flags 0x0001)// route is UP (flags 0x0200) == 0 // not a reject (ip mask) == dest_ip // IP match ) { @@ -375,7 +375,7 @@ tstart = time(0); - for ( ; time(0) tstart + 15; ) { // give the peer 15 seconds to respond + for ( ; time(0) tstart + 80; ) { // give the peer 80 seconds to respond struct sockaddr_ll gotaddr; unsigned int addrlen = sizeof(gotaddr); fd_set readfds; @@ -534,6 +534,26 @@ found ++; printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); ok = send_rst(dst1,dport1,src1,sport1) ok; + ok = send_rst(dst2,dport2,src2,sport2) ok; + } + + /* Outbound connection from private network device */ + + else if (localip(src1n) !localip(dst1n) !localip(src2n) localip(dst2n)) { +puts(Outbound connection from private network device); + found ++; + printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); + ok = send_rst(dst1,dport1,src1,sport1) ok; + ok = send_rst(dst2,dport2,src2,sport2) ok; + } + + /* Connection going through */ + + else if (!localip(src1n) !localip(dst1n) !localip(src2n) !localip(dst2n)) { +puts(Connection going through); + found ++; + printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); + ok = send_rst(dst1,dport1,src1,sport1) ok; ok = send_rst(dst2,dport2,src2,sport2) ok; } } diff -u cutter-1.03/debian/changelog cutter-1.03/debian/changelog --- cutter-1.03/debian/changelog +++ cutter-1.03/debian/changelog @@ -1,3 +1,9 @@ +cutter (1.03-2.1~test1) unstable; urgency=low + + * Test patch for #446343 + + -- Axel Beckert a...@debian.org Thu, 27 Dec 2012 00:24:43 +0100 + cutter (1.03-2) unstable; urgency=low * Adopt the package (Closes: #316195).
Bug#446343: cutter: does not work at all
Aurélien GÉRÔME wrote: Thanks for you detailed analysis. I will try to reproduce your exact setup this week-end. Have you had time to look at this, yet? I would be interested in you describing a setup that I can try to reproduce here, as I cannot get cutter to work for me at all. With regard to my throwaway comment of Feb 14 that, I would imagine a patch will be pretty straightforward, are you planning to do this or should I have a stab at it? Regards, Chris
Bug#446343: cutter: does not work at all
tags 446343 - moreinfo unreproducible thanks Hi, On Sat, Mar 08, 2008 at 09:37:20AM +, Chris Davies wrote: Have you had time to look at this, yet? I would be interested in you describing a setup that I can try to reproduce here, as I cannot get cutter to work for me at all. No, I had not. I need to organise several boxes in the same network topology as yours to reproduce your setup, but I currently do not have physical access to such boxes. I thought about a setup with several qemu instances though, but this is really tedious. Perhaps I can hook up some free Ultra5 boxes at work to reproduce your setup, I will try it this month. I am currently working on the PS3 integration in Debian, so this probably will not happen this upcoming week. :) With regard to my throwaway comment of Feb 14 that, I would imagine a patch will be pretty straightforward, are you planning to do this or should I have a stab at it? If you can fix what happens in your setup which I believe is a right use case, I will gratefully accept your patch. I will test it to see if it does not break my simple daily-use setup, and then do an upload to fix this bug. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Hi, Thanks for you detailed analysis. I will try to reproduce your exact setup this week-end. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Aurélien GÉRÔME wrote: Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. I've added some debug to the program, and it seems to me that it simply cannot work. Either that or I'm grossly misunderstanding what it does. The attached patch applies my debug code to the debian cutter version 1.03-2. Apologies for the code quality; I haven't written any C for a good number of years, now, and it was thrown together in a hurry. To reproduce the situation where it doesn't work for me, you need three systems: A (10.1.20.42 /16) and C (192.168.130.252 /21) are connected via B (10.1.1.106 /16 and 192.168.133.13 /21). There's no NAT involved. On A, ssh to C. Log in to B and you'll see an entry in /proc/net/ip_conntrack matching the connection. I picked it out with this ugly line: sudo grep 'tcp.*ESTABLISHED' /proc/net/ip_conntrack | grep '10.1.20.42' | grep '192.168.*252' | grep 'port=22 ' Now run the patched version of cutter and you'll see something like this: Args: /tmp/cutter 192.168.130.252 22 10.1.20.42 ... Got tcp/ESTABLISHED src=10.1.20.42 dst=192.168.130.252 sport=36707 dport=22 src=192.168.130.252 dst=10.1.20.42 sport=22 dport=36707 Matched IP and port localip(src1n=10.1.20.42)=0, localip(dst1n=192.168.130.252)=0, localip(src2n=192.168.130.252)=0, localip(dst2n=10.1.20.42)=0 Got tcp/ESTABLISHED ... Looking at the code around 540, there are a number of condition criteria that check for local/remote IP address (I guess that local means a local interface for the box on which cutter is running). If you have a connection from A to C, via B, then neither of the address pairs are going to be local, so neither of the two if() statements can succeed. I haven't had time to dig further (maybe tomorrow), but I would imagine a patch will be pretty straightforward. Regards, Chris --- cutter.c.2008-02-14 2008-02-14 11:24:45.0 + +++ cutter.c 2008-02-14 11:52:41.0 + @@ -494,7 +494,18 @@ continue; p = buff; - +puts(Got tcp/ESTABLISHED); +{ +char item[32]; char *i = buff; +if (get_str_field(i, src=, item, sizeof(item))) printf( src=%s\n, item); else puts( no src); +if (get_str_field(i, dst=, item, sizeof(item))) printf( dst=%s\n, item); else puts( no dst); +if (get_str_field(i, sport=, item, sizeof(item))) printf( sport=%s\n, item); else puts( no sport); +if (get_str_field(i, dport=, item, sizeof(item))) printf( dport=%s\n, item); else puts( no dport); +if (get_str_field(i, src=, item, sizeof(item))) printf( src=%s\n, item); else puts( no src); +if (get_str_field(i, dst=, item, sizeof(item))) printf( dst=%s\n, item); else puts( no dst); +if (get_str_field(i, sport=, item, sizeof(item))) printf( sport=%s\n, item); else puts( no sport); +if (get_str_field(i, dport=, item, sizeof(item))) printf( dport=%s\n, item); else puts( no dport); +} if ( !get_str_field(p, src=, src1, sizeof(src1)) || !get_str_field(p, dst=, dst1, sizeof(dst1)) || @@ -504,7 +515,7 @@ !get_str_field(p, dst=, dst2, sizeof(dst2)) || !get_int_field(p, sport=, sport2) || !get_int_field(p, dport=, dport2) - ) continue; + ) { puts(Not got all required fields; continuing); continue; } src1n = inet_addr(src1); src2n = inet_addr(src2); @@ -517,11 +528,13 @@ (match(ip1,port1,src1n,sport1) match(ip2,port2,dst1n,dport1)) || (match(ip1,port1,dst1n,dport1) match(ip2,port2,src1n,sport1)) ) { +puts(Matched IP and port); +printf ( localip(src1n=%s)=%d, localip(dst1n=%s)=%d, localip(src2n=%s)=%d, localip(dst2n=%s)=%d\n, src1, localip(src1n), dst1, localip(dst1n), src2, localip(src2n), dst2, localip(dst2n)); /* * local network to public network - forwarded connection */ - if (!localip(src1n) !localip(dst1n) !localip(src2n) localip(dst2n)) { +puts(Local network to public network - forwarded connection); found ++; printf(For connection %s:%d - %s:%d\n, src1, sport1, dst1, dport1); ok = send_rst(dst1,dport1,src1,sport1) ok; @@ -531,6 +544,7 @@ /* Inbound connection forwarded to private network device */ else if (!localip(src1n) localip(dst1n) !localip(src2n) !localip(dst2n)) { +puts(Inbound connection forwarded to private network device); found ++; printf(For connection %s:%d - %s:%d\n, dst2, dport2, src2, sport2); ok = send_rst(dst1,dport1,src1,sport1) ok; @@ -564,6 +578,7 @@ exit(EXIT_FAILURE); } +{ int i; printf(Args:); for (i=0; iargc; i++) { printf( %s, argv[i]); } putchar('\n'); } getifconfig(); if (scan_conntrack(ip1, port1, ip2, port2)) return EXIT_SUCCESS;
Bug#446343: cutter: does not work at all
On Mon, Feb 11, 2008 at 10:10:18AM +0100, Aurélien GÉRÔME wrote: Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. ^ cutter, I meant -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Hi, On Thu, Dec 06, 2007 at 09:26:43AM +, Chris Davies wrote: On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example [...] Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? I have just reconfirmed that it still does not work for me. (This is running it as root.). I have cutter package 1.03-2 installed from testing, and kernels 2.6.18 (custom build) and 2.6.22-3-686 (debian). I've checked cutter on a transit firewall and also on an end-point. It does not work for me in either situation (No matching connections found). Thanks to this bug, cutter got blindly removed from testing, and I still _cannot_ reproduce it. It would ne nice to get some recipe to reproduce it, if we ever want it to be released with Lenny. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Maintainer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example [...] Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? I have just reconfirmed that it still does not work for me. (This is running it as root.). I have cutter package 1.03-2 installed from testing, and kernels 2.6.18 (custom build) and 2.6.22-3-686 (debian). I've checked cutter on a transit firewall and also on an end-point. It does not work for me in either situation (No matching connections found). Regards, Chris
Bug#446343: cutter: does not work at all
Hi, On Fri, Oct 12, 2007 at 11:13:44AM +0100, Chris Davies wrote: Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example: netstat -an | grep 'ESTABLISHED' tcp0 0 192.168.130.5:38101 10.1.30.129:22 ESTABLISHED tcp0 0 192.168.130.5:38819 10.1.30.129:993ESTABLISHED cutter 192.168.130.5 38101 10.1.30.129 22 No matching connections found cutter 192.168.130.5 38101 10.1.30.129 No matching connections found cutter 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 No matching connections found cutter 10.1.30.129 22 No matching connections found I am not able to reproduce it. Does cutter still behave like this if you try it now? Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Free Software Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
On Sun, Dec 02, 2007 at 02:02:44PM +0100, Aurélien GÉRÔME wrote: I am not able to reproduce it. Does cutter still behave like this if you try it now? Also, did you run it as root? Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Free Software Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#446343: cutter: does not work at all
Package: cutter Version: 1.03-2 Severity: grave Justification: renders package unusable Cutter does not work as described; it always reports No matching connections found. Here is a repeatable example: netstat -an | grep 'ESTABLISHED' tcp0 0 192.168.130.5:38101 10.1.30.129:22 ESTABLISHED tcp0 0 192.168.130.5:38819 10.1.30.129:993ESTABLISHED cutter 192.168.130.5 38101 10.1.30.129 22 No matching connections found cutter 192.168.130.5 38101 10.1.30.129 No matching connections found cutter 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 38101 No matching connections found cutter 10.1.30.129 22 192.168.130.5 No matching connections found cutter 10.1.30.129 22 No matching connections found Regards, Chris -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (300, 'unstable'), (50, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.21-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages cutter depends on: ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries cutter recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]