Tâche #36095: Étude - Distribution EOLE - Ensemble Ouvert Libre Évolutif

Tâche #36095

Scénario #36091: Eole2.9 : upgrade Squid 5.7 -> 5.9 ?

Étude

Ajouté par Laurent Gourvenec il y a plus d'un an. Mis à jour il y a plus d'un an.

Statut:

Fermé

Priorité:

Normal

Assigné à:

Laurent Gourvenec

Version cible:

Livraison Cadoles - MEN 30/06/2024 (60+18)

Début:

01/10/2022

Echéance:

% réalisé:

100%

Restant à faire (heures):

0.0

bisect - épinglage des paquets dans les versions "fresh install" (20,6 ko) Benjamin Bohard, 23/07/2024 10:55

Historique

#1 Mis à jour par Benjamin Bohard il y a plus d'un an

En plus de mise à jour de paquets dans entre le moment où le test était passant et le moment où le test était en échec, on a remarqué que le pare-feu semble se comporter différemment (passage de iptables-legacy en 2.8.1 à nftables en 2.9.0). Ça ne s’accorde a priori pas avec le changement récent du résultat du test mais il faudrait peut-être tirer ça au clair malgré tout.

Un paquet émis lors du wget depuis un client linux a été tracé sur les deux versions d’EOLE du module Amon (même jeu de règles iptable, notamment en PREROUTING) : iptables -t raw -I PREROUTING -p tcp --destination 10.1.3.5 --dport 80 -j TRACE

En 2.8.1, consultable dans le journal noyau (journalctl -kf)

juil. 16 16:15:14 amon kernel: TRACE: raw:PREROUTING:policy:5 IN=ens6 OUT= MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: mangle:PREROUTING:policy:1 IN=ens6 OUT= MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: mangle:FORWARD:rule:1 IN=ens6 OUT=ens7 MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: mangle:marquage:return:1 IN=ens6 OUT=ens7 MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: mangle:FORWARD:policy:2 IN=ens6 OUT=ens7 MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: filter:FORWARD:rule:15 IN=ens6 OUT=ens7 MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: filter:ped-dmz:rule:1 IN=ens6 OUT=ens7 MAC=02:00:0a:01:02:64:02:00:0a:01:02:68:08:00 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0 
juil. 16 16:15:14 amon kernel: TRACE: mangle:POSTROUTING:policy:1 IN= OUT=ens7 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=34120 DF PROTO=TCP SPT=40058 DPT=80 SEQ=920280382 ACK=2692754959 WINDOW=249 RES=0x00 ACK URGP=0

En 2.9.0, consultable avec xtables-monitor --trace

PACKET: 2 bb486d25 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=64 ID=3322DF SPORT=58722 DPORT=80 SYN 
 TRACE: 2 bb486d25 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 bb486d25 raw:PREROUTING:return:
 TRACE: 2 bb486d25 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 bb486d25 mangle:PREROUTING:return:
 TRACE: 2 bb486d25 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 bb486d25 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=64 ID=3322DF SPORT=58722 DPORT=80 SYN 
 TRACE: 2 bb486d25 nat:PREROUTING:rule:0x19:ACCEPT  -4 -t nat -A PREROUTING ! -d 192.168.0.31/32 -i enp4s0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy" -j REDIRECT --to-ports 81
PACKET: 2 bb486d25 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=60 TOS=0x0 TTL=64 ID=3322DF SPORT=58722 DPORT=81 SYN 
 TRACE: 2 bb486d25 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 bb486d25 mangle:marquage:return:
 TRACE: 2 bb486d25 mangle:INPUT:return:
 TRACE: 2 bb486d25 mangle:INPUT:policy:ACCEPT 
PACKET: 2 bb486d25 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=60 TOS=0x0 TTL=64 ID=3322DF SPORT=58722 DPORT=81 SYN 
 TRACE: 2 bb486d25 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 bb486d25 filter:ped-bas:rule:0xc2:ACCEPT  -4 -t filter -A ped-bas -i enp4s0 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux http sans proxy" -j ACCEPT
 TRACE: 2 bb486d25 nat:INPUT:return:
 TRACE: 2 bb486d25 nat:INPUT:policy:ACCEPT 
PACKET: 2 90c03f33 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=3323DF SPORT=58722 DPORT=80 ACK 
 TRACE: 2 90c03f33 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 90c03f33 raw:PREROUTING:return:
 TRACE: 2 90c03f33 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 90c03f33 mangle:PREROUTING:return:
 TRACE: 2 90c03f33 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 90c03f33 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3323DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 90c03f33 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 90c03f33 mangle:marquage:return:
 TRACE: 2 90c03f33 mangle:INPUT:return:
 TRACE: 2 90c03f33 mangle:INPUT:policy:ACCEPT 
PACKET: 2 90c03f33 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3323DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 90c03f33 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 90c03f33 filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 d666ee9b IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=184 TOS=0x0 TTL=64 ID=3324DF SPORT=58722 DPORT=80 ACK PSH 
 TRACE: 2 d666ee9b raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 d666ee9b raw:PREROUTING:return:
 TRACE: 2 d666ee9b raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 d666ee9b mangle:PREROUTING:return:
 TRACE: 2 d666ee9b mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 d666ee9b IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=184 TOS=0x0 TTL=64 ID=3324DF SPORT=58722 DPORT=81 ACK PSH 
 TRACE: 2 d666ee9b mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 d666ee9b mangle:marquage:return:
 TRACE: 2 d666ee9b mangle:INPUT:return:
 TRACE: 2 d666ee9b mangle:INPUT:policy:ACCEPT 
PACKET: 2 d666ee9b IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=184 TOS=0x0 TTL=64 ID=3324DF SPORT=58722 DPORT=81 ACK PSH 
 TRACE: 2 d666ee9b filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 d666ee9b filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 c2953bff IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=3325DF SPORT=58722 DPORT=80 ACK 
 TRACE: 2 c2953bff raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 c2953bff raw:PREROUTING:return:
 TRACE: 2 c2953bff raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 c2953bff mangle:PREROUTING:return:
 TRACE: 2 c2953bff mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 c2953bff IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3325DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 c2953bff mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 c2953bff mangle:marquage:return:
 TRACE: 2 c2953bff mangle:INPUT:return:
 TRACE: 2 c2953bff mangle:INPUT:policy:ACCEPT 
PACKET: 2 c2953bff IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3325DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 c2953bff filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 c2953bff filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 c991b127 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=3326DF SPORT=58722 DPORT=80 ACK FIN 
 TRACE: 2 c991b127 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 c991b127 raw:PREROUTING:return:
 TRACE: 2 c991b127 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 c991b127 mangle:PREROUTING:return:
 TRACE: 2 c991b127 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 c991b127 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3326DF SPORT=58722 DPORT=81 ACK FIN 
 TRACE: 2 c991b127 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 c991b127 mangle:marquage:return:
 TRACE: 2 c991b127 mangle:INPUT:return:
 TRACE: 2 c991b127 mangle:INPUT:policy:ACCEPT 
PACKET: 2 c991b127 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3326DF SPORT=58722 DPORT=81 ACK FIN 
 TRACE: 2 c991b127 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 c991b127 filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 6243ed17 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=3327DF SPORT=58722 DPORT=80 ACK 
 TRACE: 2 6243ed17 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 6243ed17 raw:PREROUTING:return:
 TRACE: 2 6243ed17 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 6243ed17 mangle:PREROUTING:return:
 TRACE: 2 6243ed17 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 6243ed17 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3327DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 6243ed17 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 6243ed17 mangle:marquage:return:
 TRACE: 2 6243ed17 mangle:INPUT:return:
 TRACE: 2 6243ed17 mangle:INPUT:policy:ACCEPT 
PACKET: 2 6243ed17 IN=enp4s0 MACSRC=2:0:a:1:2:68 MACDST=2:0:a:1:2:67 MACPROTO=0800 SRC=10.1.2.51 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=3327DF SPORT=58722 DPORT=81 ACK 
 TRACE: 2 6243ed17 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 6243ed17 filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT

#2 Mis à jour par Benjamin Bohard il y a plus d'un an

Les différentes tentatives de cerner la mise à jour responsables du changement de comportement amènent à considérer le passage des paquets creole de la version 2.9.0-51 à 2.9.0-54.

En partant de la VM non instanciée, non mise à jour, il y a 285 paquets à mettre à jour.
La liste minimale des mises à jour permettant de reproduire le problème est limitée aux paquets EOLE.
Les paquets squid et iptables semblent hors de cause.

La mise à jour candidate de tous les paquets, sauf les paquets creole mis à jour en stable, aboutit à un serveur fonctionnel du point de vue du problème de téléchargement du script installMinion.sh.

ssh pcadmin@10.1.2.50 "wget http://salt/joineole/installMinion.sh && rm installMinion.sh"

Le passage à creole 2.9.0-54 permet de reproduire le problème alors que le retour à la version 2.9.0-51 rend de nouveau fonctionnel.

La mise à jour uniquement de creole n’est pas possible mais la mise à jour des paquets EOLE en candidate sans mise à jour de tous les autres paquets (y compris squid et iptables) suffit à reproduire le problème.

#3 Mis à jour par Benjamin Bohard il y a plus d'un an

Fichier bisect ajouté

#4 Mis à jour par Benjamin Bohard il y a plus d'un an

Fonctionnel en supprimant le passage à la version minimal du template resolv.conf (l.1054-5 de creole/reconfigure.py commentée)

PACKET: 2 3ea96869 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=64 ID=41931DF SPORT=46802 DPORT=80 SYN 
 TRACE: 2 3ea96869 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 3ea96869 raw:PREROUTING:return:
 TRACE: 2 3ea96869 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 3ea96869 mangle:PREROUTING:return:
 TRACE: 2 3ea96869 mangle:PREROUTING:policy:ACCEPT 
 TRACE: 2 3ea96869 nat:PREROUTING:return:
 TRACE: 2 3ea96869 nat:PREROUTING:policy:ACCEPT 
PACKET: 2 3ea96869 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=63 ID=41931DF SPORT=46802 DPORT=80 SYN 
 TRACE: 2 3ea96869 mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 3ea96869 mangle:marquage:return:
 TRACE: 2 3ea96869 mangle:FORWARD:return:
 TRACE: 2 3ea96869 mangle:FORWARD:policy:ACCEPT 
PACKET: 2 3ea96869 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=63 ID=41931DF SPORT=46802 DPORT=80 SYN 
 TRACE: 2 3ea96869 filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 3ea96869 filter:ped-dmz:rule:0xd0:ACCEPT  -4 -t filter -A ped-dmz -i enp4s0 -o enp5s0 -j ACCEPT
 TRACE: 2 3ea96869 mangle:POSTROUTING:return:
 TRACE: 2 3ea96869 mangle:POSTROUTING:policy:ACCEPT 
 TRACE: 2 3ea96869 nat:POSTROUTING:return:
 TRACE: 2 3ea96869 nat:POSTROUTING:policy:ACCEPT 
PACKET: 2 c5bc17c3 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=41932DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 c5bc17c3 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 c5bc17c3 raw:PREROUTING:return:
 TRACE: 2 c5bc17c3 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 c5bc17c3 mangle:PREROUTING:return:
 TRACE: 2 c5bc17c3 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 c5bc17c3 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41932DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 c5bc17c3 mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 c5bc17c3 mangle:marquage:return:
 TRACE: 2 c5bc17c3 mangle:FORWARD:return:
 TRACE: 2 c5bc17c3 mangle:FORWARD:policy:ACCEPT 
PACKET: 2 c5bc17c3 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41932DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 c5bc17c3 filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 c5bc17c3 filter:ped-dmz:rule:0xcf:ACCEPT  -4 -t filter -A ped-dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
 TRACE: 2 c5bc17c3 mangle:POSTROUTING:return:
 TRACE: 2 c5bc17c3 mangle:POSTROUTING:policy:ACCEPT 
PACKET: 2 dad7004d IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=184 TOS=0x0 TTL=64 ID=41933DF SPORT=46802 DPORT=80 ACK PSH 
 TRACE: 2 dad7004d raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 dad7004d raw:PREROUTING:return:
 TRACE: 2 dad7004d raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 dad7004d mangle:PREROUTING:return:
 TRACE: 2 dad7004d mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 dad7004d IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=184 TOS=0x0 TTL=63 ID=41933DF SPORT=46802 DPORT=80 ACK PSH 
 TRACE: 2 dad7004d mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 dad7004d mangle:marquage:return:
 TRACE: 2 dad7004d mangle:FORWARD:return:
 TRACE: 2 dad7004d mangle:FORWARD:policy:ACCEPT 
PACKET: 2 dad7004d IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=184 TOS=0x0 TTL=63 ID=41933DF SPORT=46802 DPORT=80 ACK PSH 
 TRACE: 2 dad7004d filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 dad7004d filter:ped-dmz:rule:0xcf:ACCEPT  -4 -t filter -A ped-dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
 TRACE: 2 dad7004d mangle:POSTROUTING:return:
 TRACE: 2 dad7004d mangle:POSTROUTING:policy:ACCEPT 
PACKET: 2 5f061e22 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=41934DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 5f061e22 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 5f061e22 raw:PREROUTING:return:
 TRACE: 2 5f061e22 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 5f061e22 mangle:PREROUTING:return:
 TRACE: 2 5f061e22 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 5f061e22 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41934DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 5f061e22 mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 5f061e22 mangle:marquage:return:
 TRACE: 2 5f061e22 mangle:FORWARD:return:
 TRACE: 2 5f061e22 mangle:FORWARD:policy:ACCEPT 
PACKET: 2 5f061e22 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41934DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 5f061e22 filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 5f061e22 filter:ped-dmz:rule:0xcf:ACCEPT  -4 -t filter -A ped-dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
 TRACE: 2 5f061e22 mangle:POSTROUTING:return:
 TRACE: 2 5f061e22 mangle:POSTROUTING:policy:ACCEPT 
PACKET: 2 83bf8d65 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=41935DF SPORT=46802 DPORT=80 ACK FIN 
 TRACE: 2 83bf8d65 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 83bf8d65 raw:PREROUTING:return:
 TRACE: 2 83bf8d65 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 83bf8d65 mangle:PREROUTING:return:
 TRACE: 2 83bf8d65 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 83bf8d65 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41935DF SPORT=46802 DPORT=80 ACK FIN 
 TRACE: 2 83bf8d65 mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 83bf8d65 mangle:marquage:return:
 TRACE: 2 83bf8d65 mangle:FORWARD:return:
 TRACE: 2 83bf8d65 mangle:FORWARD:policy:ACCEPT 
PACKET: 2 83bf8d65 IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41935DF SPORT=46802 DPORT=80 ACK FIN 
 TRACE: 2 83bf8d65 filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 83bf8d65 filter:ped-dmz:rule:0xcf:ACCEPT  -4 -t filter -A ped-dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
 TRACE: 2 83bf8d65 mangle:POSTROUTING:return:
 TRACE: 2 83bf8d65 mangle:POSTROUTING:policy:ACCEPT 
PACKET: 2 71b99a1c IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=41936DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 71b99a1c raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 71b99a1c raw:PREROUTING:return:
 TRACE: 2 71b99a1c raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 71b99a1c mangle:PREROUTING:return:
 TRACE: 2 71b99a1c mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 71b99a1c IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41936DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 71b99a1c mangle:FORWARD:rule:0x8:JUMP:marquage  -4 -t mangle -A FORWARD -j marquage
 TRACE: 2 71b99a1c mangle:marquage:return:
 TRACE: 2 71b99a1c mangle:FORWARD:return:
 TRACE: 2 71b99a1c mangle:FORWARD:policy:ACCEPT 
PACKET: 2 71b99a1c IN=enp4s0 OUT=enp5s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=63 ID=41936DF SPORT=46802 DPORT=80 ACK 
 TRACE: 2 71b99a1c filter:FORWARD:rule:0x33:JUMP:ped-dmz  -4 -t filter -A FORWARD -i enp4s0 -o enp5s0 -j ped-dmz
 TRACE: 2 71b99a1c filter:ped-dmz:rule:0xcf:ACCEPT  -4 -t filter -A ped-dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
 TRACE: 2 71b99a1c mangle:POSTROUTING:return:
 TRACE: 2 71b99a1c mangle:POSTROUTING:policy:ACCEPT

Non-fonctionnel en laissant le passage à la version minimale du resolv.conf

PACKET: 2 fc8a3eff IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=64 ID=25721DF SPORT=59598 DPORT=80 SYN 
 TRACE: 2 fc8a3eff raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 fc8a3eff raw:PREROUTING:return:
 TRACE: 2 fc8a3eff raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 fc8a3eff mangle:PREROUTING:return:
 TRACE: 2 fc8a3eff mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 fc8a3eff IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=60 TOS=0x0 TTL=64 ID=25721DF SPORT=59598 DPORT=80 SYN 
 TRACE: 2 fc8a3eff nat:PREROUTING:rule:0x19:ACCEPT  -4 -t nat -A PREROUTING ! -d 192.168.0.31/32 -i enp4s0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy" -j REDIRECT --to-ports 81
PACKET: 2 fc8a3eff IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=60 TOS=0x0 TTL=64 ID=25721DF SPORT=59598 DPORT=81 SYN 
 TRACE: 2 fc8a3eff mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 fc8a3eff mangle:marquage:return:
 TRACE: 2 fc8a3eff mangle:INPUT:return:
 TRACE: 2 fc8a3eff mangle:INPUT:policy:ACCEPT 
PACKET: 2 fc8a3eff IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=60 TOS=0x0 TTL=64 ID=25721DF SPORT=59598 DPORT=81 SYN 
 TRACE: 2 fc8a3eff filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 fc8a3eff filter:ped-bas:rule:0xc2:ACCEPT  -4 -t filter -A ped-bas -i enp4s0 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux http sans proxy" -j ACCEPT
 TRACE: 2 fc8a3eff nat:INPUT:return:
 TRACE: 2 fc8a3eff nat:INPUT:policy:ACCEPT 
PACKET: 2 3b12d958 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=25722DF SPORT=59598 DPORT=80 ACK 
 TRACE: 2 3b12d958 raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 3b12d958 raw:PREROUTING:return:
 TRACE: 2 3b12d958 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 3b12d958 mangle:PREROUTING:return:
 TRACE: 2 3b12d958 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 3b12d958 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25722DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 3b12d958 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 3b12d958 mangle:marquage:return:
 TRACE: 2 3b12d958 mangle:INPUT:return:
 TRACE: 2 3b12d958 mangle:INPUT:policy:ACCEPT 
PACKET: 2 3b12d958 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25722DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 3b12d958 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 3b12d958 filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 1ae792cd IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=184 TOS=0x0 TTL=64 ID=25723DF SPORT=59598 DPORT=80 ACK PSH 
 TRACE: 2 1ae792cd raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 1ae792cd raw:PREROUTING:return:
 TRACE: 2 1ae792cd raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 1ae792cd mangle:PREROUTING:return:
 TRACE: 2 1ae792cd mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 1ae792cd IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=184 TOS=0x0 TTL=64 ID=25723DF SPORT=59598 DPORT=81 ACK PSH 
 TRACE: 2 1ae792cd mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 1ae792cd mangle:marquage:return:
 TRACE: 2 1ae792cd mangle:INPUT:return:
 TRACE: 2 1ae792cd mangle:INPUT:policy:ACCEPT 
PACKET: 2 1ae792cd IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=184 TOS=0x0 TTL=64 ID=25723DF SPORT=59598 DPORT=81 ACK PSH 
 TRACE: 2 1ae792cd filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 1ae792cd filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 e84841ae IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=25724DF SPORT=59598 DPORT=80 ACK 
 TRACE: 2 e84841ae raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 e84841ae raw:PREROUTING:return:
 TRACE: 2 e84841ae raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 e84841ae mangle:PREROUTING:return:
 TRACE: 2 e84841ae mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 e84841ae IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25724DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 e84841ae mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 e84841ae mangle:marquage:return:
 TRACE: 2 e84841ae mangle:INPUT:return:
 TRACE: 2 e84841ae mangle:INPUT:policy:ACCEPT 
PACKET: 2 e84841ae IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25724DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 e84841ae filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 e84841ae filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 cec2775c IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=25725DF SPORT=59598 DPORT=80 ACK FIN 
 TRACE: 2 cec2775c raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 cec2775c raw:PREROUTING:return:
 TRACE: 2 cec2775c raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 cec2775c mangle:PREROUTING:return:
 TRACE: 2 cec2775c mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 cec2775c IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25725DF SPORT=59598 DPORT=81 ACK FIN 
 TRACE: 2 cec2775c mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 cec2775c mangle:marquage:return:
 TRACE: 2 cec2775c mangle:INPUT:return:
 TRACE: 2 cec2775c mangle:INPUT:policy:ACCEPT 
PACKET: 2 cec2775c IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25725DF SPORT=59598 DPORT=81 ACK FIN 
 TRACE: 2 cec2775c filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 cec2775c filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
PACKET: 2 4a073ee9 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.3.5 LEN=40 TOS=0x0 TTL=64 ID=25726DF SPORT=59598 DPORT=80 ACK 
 TRACE: 2 4a073ee9 raw:PREROUTING:rule:0x3:CONTINUE  -4 -t raw -A PREROUTING -d 10.1.3.5/32 -p tcp -m tcp --dport 80 -j TRACE
 TRACE: 2 4a073ee9 raw:PREROUTING:return:
 TRACE: 2 4a073ee9 raw:PREROUTING:policy:ACCEPT 
 TRACE: 2 4a073ee9 mangle:PREROUTING:return:
 TRACE: 2 4a073ee9 mangle:PREROUTING:policy:ACCEPT 
PACKET: 2 4a073ee9 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25726DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 4a073ee9 mangle:INPUT:rule:0x7:JUMP:marquage  -4 -t mangle -A INPUT -j marquage
 TRACE: 2 4a073ee9 mangle:marquage:return:
 TRACE: 2 4a073ee9 mangle:INPUT:return:
 TRACE: 2 4a073ee9 mangle:INPUT:policy:ACCEPT 
PACKET: 2 4a073ee9 IN=enp4s0 MACSRC=2:0:a:1:2:65 MACDST=2:0:a:1:2:64 MACPROTO=0800 SRC=10.1.2.50 DST=10.1.2.1 LEN=40 TOS=0x0 TTL=64 ID=25726DF SPORT=59598 DPORT=81 ACK 
 TRACE: 2 4a073ee9 filter:INPUT:rule:0x27:JUMP:ped-bas  -4 -t filter -A INPUT -i enp4s0 -j ped-bas
 TRACE: 2 4a073ee9 filter:ped-bas:rule:0xbf:ACCEPT  -4 -t filter -A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT

#5 Mis à jour par Benjamin Bohard il y a plus d'un an

Problème circonscrit au script posttemplate 00-eole-common et plus spécifiquement le passage de génération des règles de pare-feu, appel a firewall.start. L’utilisation du script de bascule de resolv.conf pour encadrer ce passage suffit à contourner le problème.

#6 Mis à jour par Benjamin Bohard il y a plus d'un an

Dans le script /usr/share/era/bastion.sh, la commande dig est utilisée pour retrouver les IP à partir de noms de domaine (contournement pour le manque de support des IP multiples par ipset, toujours d’actualité d’après la page de man embarquée).
Il semble que la configuration minimale ne suffise pas pour générer les adresses correctes pour les ipsets.

#7 Mis à jour par Benjamin Bohard il y a plus d'un an

Statut changé de Nouveau à En cours

#8 Mis à jour par Benjamin Bohard il y a plus d'un an

Statut changé de En cours à À valider

#9 Mis à jour par Benjamin Bohard il y a plus d'un an

Statut changé de À valider à Résolu

#10 Mis à jour par Joël Cuissinat il y a plus d'un an

Statut changé de Résolu à Fermé
% réalisé changé de 0 à 100
Restant à faire (heures) mis à 0.0

Formats disponibles : Atom PDF

Projet

Général

Profil

Distribution EOLE

Demandes

Rapports personnalisés