Bug 115846

Summary: nmap does not work properly because of a kernel "bug" that break libpcap
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Dennis Lubert <plasmahh>
Component: ConsoleAppsAssignee: Hubert Mantel <mantel>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: aj
Version: Beta 4   
Target Milestone: ---   
Hardware: i686   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch from 2.6.13.1

Description Dennis Lubert 2005-09-08 12:29:29 UTC 
All systems I try to scan via nmap end up with :
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

but specifying -P0 (which disables the different pings to see if host is up)
does not work too. nmap does not seem to see the incoming packages. tcpdum shows
that packets go out, and that responses come in on this interface. I have
downloaded and compiled the recently released 3.90 version, no change here. I
think its not a problem directly related to nmap, but to something else, maybe
kernel 2.6.13 is the reason ?
Comment 1 Dennis Lubert 2005-09-08 12:38:24 UTC 
additiona:

I had an older kernel 2.6.12.1 available, booted it up and nmap worked. does not
work with 2.6.13 though
Comment 2 Hendrik Vogelsang 2005-09-08 14:38:06 UTC 
i cant reproduce that in any way. please provide the output of

nmap -d <host to scan>
Comment 3 Dennis Lubert 2005-09-08 20:09:30 UTC 
Unfortunately Im currently not able to do that, since I now have another kind 
of internet connection, and there it works fine. Its now an ethernet connection 
thats routed through local network into the internet. Previously it was a pppoe 
device (called dsl2) that produced problems. I have talked to a debian user, 
and he experiences currently the same problems with his ipsec ppp0 device, but 
*only* when running kernel 2.6.13. So I think its a kernel problem, but since I 
currently dont have access to a DSL system for the next two weeks I cannot test 
it anymore. Btw. I use the vanilla 2.6.13 kernel, maybe its fixed in the suse 
kernel patches ? anyways, I cannot run the suse kernel on my laptop, acpi 
problems...
Comment 4 Karsten Keil 2005-09-08 23:07:18 UTC 
Can reproduce here with a ISDN sync ppp dialup connection on RC1. 
A connection via local LAN does not show the bug. 
Also only user root is affected, as normal user it work. 
I also tested Beta1, here nmap segfaults as root, but work also as user.
Comment 5 Dennis Lubert 2005-09-09 00:35:44 UTC 
Yes, same on RC1 here too (just upgraded).
As a normal user nmap does not use raw sockets, while as root it uses them. btw
there is now nmap 3.90 with lots of new features and updated fingerprints etc.,
I think it should make it into the final 10.0
I really think its a kernel & raw sockets thing, since it works fine on 2.6.12.x
here and at lots of other systems as well.
Can you verify with tcpdump too that packets go out and come in on the ppp
interface ? maybe a strace shows if nmap gets something or not...
Comment 6 Dennis Lubert 2005-09-09 08:44:54 UTC 
I have had access to a system connected via ppp (over pptp) and did an strace. 
nmap first sets a kernel filter via setsockopt SO_ATTACH_FILTER, then does a
sendto of the packets, and then waits on the sockeet via select... this times
out, though the data arrives at the host. When the user is non-root, there is no
such option set, I dont know what when its an ethernet device.
Maybe the interpretation of the LSF code has changed in 2.6.13 so that it now
filters away those packets errenously ?
Comment 7 Dennis Lubert 2005-09-11 12:22:34 UTC 
*update*
I just saw in the 2.6.13.1 release this commit:

ommit a49567a4dbfd414f19e5bf828a4b2c540f164ea8
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Sep 5 18:47:10 2005 -0700

    [PATCH] 2.6.13 breaks libpcap (and tcpdump)
    
    [NET]: 2.6.13 breaks libpcap (and tcpdump)
    
    Patrick McHardy says:
    
      Never mind, I got it, we never fall through to the second switch
      statement anymore. I think we could simply break when load_pointer
      returns NULL. The switch statement will fall through to the default
      case and return 0 for all cases but 0 > k >= SKF_AD_OFF.
    
and I think maybe this nmap bug is just an incarnation of the kernel bug. I
cannot actually test it here due to lack of a ppp connection (Im directly
connected via ethernet for the next days).
Comment 8 Hendrik Vogelsang 2005-09-12 08:51:37 UTC 
gah

Karsten any idea?

Hubert JFYI.
Comment 9 Olaf Kirch 2005-09-12 09:34:50 UTC 
Created attachment 49578 [details]
Patch from 2.6.13.1

Please test this patch. I propose to include this
in 10.0.
Comment 10 Olaf Kirch 2005-09-12 09:35:55 UTC 
Increasing severity because broken pcap probably means broken tcpdump 
as well.
Comment 11 Hendrik Vogelsang 2005-09-12 09:53:35 UTC 
hubert, yours then
Comment 12 Olaf Kirch 2005-09-12 10:18:39 UTC 
I added this patch to CVS HEAD. Please test the next KOTD.
Comment 13 Dennis Lubert 2005-09-12 13:06:47 UTC 
I have asked a friend of mine which encountered this problem with freshly
updated 2.6.13 too to upgrade to 2.6.13.1 and this fixed the problem for him, so
I would suspect this patch to work for this problem
Comment 14 Karsten Keil 2005-09-14 15:45:41 UTC 
Unfortunatly I can still reproduce it with RC2 for a dialup connection. 
It's working as user, but not as root.
Comment 15 Karsten Keil 2005-09-14 15:56:09 UTC 
seems the fix did not made it on RC2, will retest with RC3 kernel soon.
Comment 16 Karsten Keil 2005-09-14 16:32:48 UTC 
RC3 kernel fixed the problem, Sorry for the noise.