lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <db81a9a20911260919w1ffded25ref5ae24ee73f8eda@mail.gmail.com>
Date:	Thu, 26 Nov 2009 18:19:24 +0100
From:	Andreas Schultz <aschultz@...p10.net>
To:	KOVACS Krisztian <hidden@...abit.hu>
Cc:	tproxy@...ts.balabit.hu, netdev@...r.kernel.org,
	jamal <hadi@...erus.ca>
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

Hi,

git bisect shows that TPROXY has been broken by commit
f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work
with policy routing

I had a look at the patch, and it seems logical that this would break TPROXY.

Andreas

On Wed, Nov 25, 2009 at 9:23 AM, KOVACS Krisztian <hidden@...abit.hu> wrote:
> Hi,
>
> On Mon, 2009-11-23 at 13:43 +0100, Andreas Schultz wrote:
>> I was trying to replace a setup based on a 2.6.27.14 kernel with a
>> 2.6.32-rc8 kernel and found that TPROXY is no longer working.
>>
>> The 2.6.27.14 kernel had the last stable tproxy patch plus some
>> additional fixes (TIME_WAIT, inet_sk_flowi_flags).
>> Since 2.6.32 is supposed to have working tproxy support, i dropped all patches.
>>
>> Now, connections to the local tproxy port no longer arrive at that port.
>> From the kernel log:
>>
>> Nov 23 12:32:31 scg01-wiwob user.debug kernel: tproxy socket lookup:
>> proto 6 ac19c4df:49175 -> c0a80208:80, lookup type: 2, sock (null)
>> Nov 23 12:32:31 scg01-wiwob user.debug kernel: tproxy socket lookup:
>> proto 6 ac19c4df:49175 -> c0a80208:3128, lookup type: 1, sock debae040
>> Nov 23 12:32:31 scg01-wiwob user.debug kernel: redirecting: proto 6
>> c0a80208:80 -> 00000000:3128, mark: 880400a0
>>
>>
>> The redirecting message is the last indication of the packet. tcpdump
>> shows that no answer for the initial packet goes out and the listening
>> socket it not notified either.
>
> I'll have a look at this. In the meantime, could you please post your
> kernel config, along with a summary of the iptables & ip rules you're
> using?
>
> Cheers,
> Krisztian
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ