From: Florian Westphal <fw@strlen.de>
To: Brandon Cazander <brandon.cazander@multapplied.net>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
Date: Wed, 7 Sep 2016 00:57:07 +0200 [thread overview]
Message-ID: <20160906225707.GD20188@breakpoint.cc> (raw)
In-Reply-To: <BL2PR07MB23065A58E771485F53D553E99EF90@BL2PR07MB2306.namprd07.prod.outlook.com>
Brandon Cazander <brandon.cazander@multapplied.net> wrote:
[ cc netfilter-devel ]
> Sorry to resurrect this so much later—I just got back from holidays and this was still on my desk.
>
> Will anyone have another chance to look at this? It appears that the DIVERT rule is not working in our case, and I wonder if it is possible to fix the TPROXY target as well as the socket target fix that Florian provided.
Are there reproducer instructions available for this?
I don't see how TPROXY can be 'fixed' because when skb (tcp syn) is in
mangle PREROUTING nat transformation(s) have not been set up (yet).
So ip header addresses are all we have.
Only the ack (that finishes 3whs) or retransmitted syns will
have the post-nat address info available.
Ack should work fine with (changed) -m socket since the
socket should already be in the main ehash table.
Syn should also work just fine because Erics changes
should not affect initial listener lookup done by TPROXY.
> It appears as though nobody else has encountered this regression, so I can appreciate that it comes up pretty low on the priority list. If it is not realistic that this will be looked at further, then we will have to look at replacing TPROXY.
If you already need NAT anyway you can also use -j REDIRECT (or exclude
tproxied packets from nat).
prev parent reply other threads:[~2016-09-06 22:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <BL2PR07MB2306908C76E928619A24B52E9E0F0@BL2PR07MB2306.namprd07.prod.outlook.com>
2016-07-27 19:01 ` PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa) Eric Dumazet
[not found] ` <20160729132154.GB13634@breakpoint.cc>
[not found] ` <BL2PR07MB2306B2B920C441DF5406B1439E050@BL2PR07MB2306.namprd07.prod.outlook.com>
[not found] ` <20160802221121.GB31209@breakpoint.cc>
[not found] ` <BL2PR07MB23061A24DD64E80532DBD9799E060@BL2PR07MB2306.namprd07.prod.outlook.com>
[not found] ` <BL2PR07MB2306C9A7EB393F441D56E7D69E1E0@BL2PR07MB2306.namprd07.prod.outlook.com>
[not found] ` <20160812190319.GB25519@breakpoint.cc>
[not found] ` <BL2PR07MB23066ABAF5223701D17CFFF29E120@BL2PR07MB2306.namprd07.prod.outlook.com>
[not found] ` <BL2PR07MB23065A58E771485F53D553E99EF90@BL2PR07MB2306.namprd07.prod.outlook.com>
2016-09-06 22:57 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160906225707.GD20188@breakpoint.cc \
--to=fw@strlen.de \
--cc=brandon.cazander@multapplied.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).