[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BL2PR07MB23061A24DD64E80532DBD9799E060@BL2PR07MB2306.namprd07.prod.outlook.com>
Date: Wed, 3 Aug 2016 15:47:36 +0000
From: Brandon Cazander <brandon.cazander@...tapplied.net>
To: Florian Westphal <fw@...len.de>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
I think that it is worth doing, as the original kernel change broke my user space program and could do the same to others as well.
On another setup, even with the DIVERT rule in place, I'm still seeing the RST after the ACK. I'm not sure how it is behaving differently than the other setup so I need to look into that. But it definitely worked before the changes to the kernel.
From: Florian Westphal <fw@...len.de>
Sent: Tuesday, August 2, 2016 3:11 PM
To: Brandon Cazander
Cc: Florian Westphal
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
Brandon Cazander <brandon.cazander@...tapplied.net> wrote:
> > Please try this patch, it makes it work for me again.
> > I decided to extend the existing snat support in xt_socket.c instead
> > of changing TPROXY target:
>
> This fixes my example (with the DIVERT chain), but does not fix the two-line example you gave below. Another setup I have is also still broken as of this diff (similarly, there is a rule in nat PREROUTING that goes to a chain with the TPROXY rule).
Yes, I did not touch TPROXY target, we would need something similar
(take tuple addresses from the conntrack entry) there as well if we
need to make it work without the -m socket rule.
Powered by blists - more mailing lists