From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Westphal Subject: Re: : getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) is in fact sometimes returning the source IP instead the destination IP Date: Mon, 7 Jan 2019 12:17:53 +0100 Message-ID: <20190107111753.aiabujukqx3eteqb@breakpoint.cc> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "netdev@vger.kernel.org" To: "Mohandass, Roobesh" Return-path: Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:59792 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726798AbfAGLR5 (ORCPT ); Mon, 7 Jan 2019 06:17:57 -0500 Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: Mohandass, Roobesh wrote: > Issue: getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) is in fact sometimes returning the source IP instead the destination IP SO_ORIGINAL_DST returns the original address (before DNAT/REDIRECT rewrite) that conntrack believes to be the originator. > What you expected to happen: > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) - should return always destination IP(connected IP). > > What happened instead: > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) is in fact sometimes returning the source IP instead the destination IP. Using getsockname() instead looks like solving the issue. > > For just an example: > Out of 6569124 requests , 4 requests were wrong 0.000060891 % (this is just an rough estimate to give you idea on frequency) > > Some old reference: (similar behavior observed) > https://stackoverflow.com/questions/11417187/getsockopt-so-original-dst-occasionally-returns-client-address I ask exactly same question as in your url. If you use TPROXY, why do you use SO_ORIGINAL_DST? Its only required with -j REDIRECT. If you need to use REDIRECT for some reason, make sure you limit REDIRECT to -p tcp --syn to prevent it from triggering on other packets. You might also want to turn off midstream pickup (sysctl nf_conntrack_tcp_loose=0) in conntrack.