Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 175526 - gShield blocking 53/udb (bind) traffic after 2.6.20 update
Summary: gShield blocking 53/udb (bind) traffic after 2.6.20 update
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: Netmon Herd
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-22 06:19 UTC by Thomas Knox
Modified: 2007-09-05 20:23 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Knox 2007-04-22 06:19:11 UTC
I had a working gShield configuration running on my server until I upgraded the kernel to 2.6.20-gentoo-r6 yesterday. Now all DNS queries are timing out, and gShield is logging all attempts:

Apr 21 15:59:34 wonk gShield (default drop) IN=eth0 OUT= MAC=00:04:23:a7:66:92:00:14:f2:b7:8d:53:08:00 SRC=192.36.148.17 DST=69.65.110.186 LEN=234 TOS=0x00 PREC=0x00 TTL=251 ID=2253 DF PROTO=UDP SPT=53 DPT=52039 LEN=214

My /etc/resolv.conf file is

domain vushta.com
search vushta.com
nameserver 127.0.0.1

The relevant part of my gShield.conf file is:

# DNS servers
# List the DNS servers you use here
# If set to AUTO, gShield will read
# this variable from /etc/resolv.conf

DNS="AUTO"

I've tried AUTO and 127.0.0.1, neither makes a difference.

from /usr/src/linux/.config:

CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_ASK_IP_FIB_HASH is not set
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_PNP=y
# CONFIG_IP_PNP_DHCP is not set
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
CONFIG_NET_IPIP=y
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set

If I run /etc/init.d/gshield stop, then DNS/named runs perfectly and quickly, but as soon as I activate gshield. then all DNS packets are dropped. In desperation, I changed /etc/resolv.conf to look like:

domain vushta.com
nameserver 4.2.2.2

That doesn't work either. gshield is dropping all DNS packets, where it did not before. All I changed was updating the kernel from 2.6.19-gentoo-r5 to 2.6.20-gentoo-r6. 

Reproducible: Always

Steps to Reproduce:
1.start gshield (/etc/init.d/gshield start)
2.Look up anything (host www.google.com)

Actual Results:  
;; connection timed out; no servers could be reached

Expected Results:  
Should get an IP
Comment 1 Markus Ullmann (RETIRED) gentoo-dev 2007-04-22 08:39:34 UTC
Obvious question, when you go back to 2.6.19, are the issues solved?
Comment 2 Thomas Knox 2007-04-22 16:00:43 UTC
tdknox@wonk ~ $ uname -a
Linux wonk 2.6.19-gentoo-r5 #6 SMP Sat Mar 3 17:14:12 EST 2007 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz GenuineIntel GNU/Linux
tdknox@wonk ~ $ date
Sun Apr 22 11:55:45 EDT 2007
tdknox@wonk ~ $ host www.google.com
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 64.233.161.99
www.l.google.com has address 64.233.161.104
www.l.google.com has address 64.233.161.147

tdknox@wonk ~ $ uname -a
Linux wonk 2.6.20-gentoo-r6 #1 SMP Fri Apr 20 17:01:16 EDT 2007 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz GenuineIntel GNU/Linux
tdknox@wonk ~ $ date
Sun Apr 22 12:00:00 EDT 2007
tdknox@wonk ~ $ host www.google.com
;; connection timed out; no servers could be reached
Comment 3 Markus Ullmann (RETIRED) gentoo-dev 2007-06-09 23:14:56 UTC
today I got a report that this does also happen on some other box even without gshield. so seems more like a kernel bug...
Comment 4 Daniel Drake (RETIRED) gentoo-dev 2007-06-10 00:54:00 UTC
The bug reported here is clearly related to gshield. If you're having DNS troubles on another system without gshield, you should file a new bug, as the chances of it being related to this one are extremely low.