On 11/25/2015 12:42 PM, Slick Rick wrote: > Hi, > Long time shorewall user, but new to traffic shaping. My reason for > using traffic control is in order to make VOIP calling work reliably. > My VOIP devices mark the packets with TOS information and I'm using that > as my basis in the tcclasses rules. For the most part this has solved > my VOIP woes, but after a recent firewall upgrade I am getting some new > syslog messages I have not seen before. Specifcally: > > kernel: [1595740.759044] nf_ct_Q.931: dropping packet: cannot process > Q.931 message IN= OUT= SRC=192.168.0.31 DST=192.168.6.96 LEN=190 > TOS=0x00 PREC=0x00 TTL=97 ID=46108 PROTO=TCP SPT=1720 DPT=4254 > SEQ=2035679657 ACK=2378695115 WINDOW=4369 RES=0x00 ACK FIN URGP=0 > > I've been doing a lot of research but have yet to find much detail > about this kernel message. Therefore, I was hoping someone on the list > might steer me in right direction. > > More about my setup, I'm running Shorewall 4.5.21.6 on Ubuntu 14.04.3. > Below are my tc configuration files: > tcdevices: > 1:eth0 - 6mbit # ISP > 2:eth1 - 1000mbit # Internal > tcclasses: > eth0 1 120kbps 220kbps 1 > tos=0x88/0xfc,tos=0xb8/0xfc > eth0 2 full/2 full 2 > default > > eth1 1 120kbps 220kbps 1 > tos=0x88/0xfc,tos=0xb8/0xfc > eth1 2 full/4 full 2 > default > tcrules: > 1 $FW 0.0.0.0/0 udp 1194 > - - - - 0xb8 > 1 $FW 0.0.0.0/0 udp 1194 > - - - - 0x88 > 1 0.0.0.0/0 $FW udp 1194 > - - - - 0xb8 > 1 0.0.0.0/0 $FW udp 1194 > - - - - 0x88 > > > 1:F 0.0.0.0/0 0.0.0.0/0 all - > - - - - 0xb8 > 1:F 0.0.0.0/0 0.0.0.0/0 all - > - - - - 0x88 > I am using the "stock" conntrack file as well and all the relevant > netfilter modules appear to be loaded. eg: > nf_conntrack_sip 28672 2 > nf_conntrack_h323 77824 4 > nf_conntrack 106496 24 > nf_nat_ftp,xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,ipt_CLUSTERIP,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp > Any help or advice is much appreciated.
I'm doubtful that the message has anything to do with traffic shaping. It is being issued out of the nf_ct_Q.931 module which is the Q.931 conntrack helper. Are there any other symptoms besides the kernel message? I notice that the FIN flag is on in the packet, which indicates that the TCP connection is being terminated when the message is generated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
