Brandon Cazander wrote:
[ cc netfilter-devel ]
> Sorry to resurrect this so much later—I just got back from holidays and this
> was still on my desk.
>
> Will anyone have another chance to look at this? It appears that the DIVERT
> rule is not working in our case, and I wonder if it is possib
.
From: Brandon Cazander
Sent: Monday, August 15, 2016 9:28 AM
To: Florian Westphal
Cc: netdev@vger.kernel.org; Eric Dumazet
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
I can recreate the issue with these rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0
I can recreate the issue with these rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j TPROXY --on-port
9876 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t nat -A PREROUTING -d 192.168.7.20/32 -i e
Brandon Cazander wrote:
> Is there anything I can provide or do to help get this issue fixed? Even with
> the patch provided, our application is still broken.
[..]
> I think that it is worth doing, as the original kernel change broke my user
> space program and could do the same to others as w
s behaving differently than the other setup
so I need to look into that. But it definitely worked before the changes to the
kernel.
From: Florian Westphal
Sent: Tuesday, August 2, 2016 3:11 PM
To: Brandon Cazander
Cc: Florian Westphal
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 07
etup
so I need to look into that. But it definitely worked before the changes to the
kernel.
From: Florian Westphal
Sent: Tuesday, August 2, 2016 3:11 PM
To: Brandon Cazander
Cc: Florian Westphal
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
Brandon Cazan
ian Westphal
Sent: Friday, July 29, 2016 6:21 AM
To: Brandon Cazander
Cc: netdev@vger.kernel.org; eduma...@google.com
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
Brandon Cazander wrote:
> * When it fails, no traffic hits the WEBSERVER. A tcpdump on the bad kernel
Brandon Cazander wrote:
> * When it fails, no traffic hits the WEBSERVER. A tcpdump on the bad kernel
> shows:
> root@dons-qemu-new-kernel:~# tcpdump -niany tcp and port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LIN
Brandon Cazander wrote:
> Hopefully that's enough detail to replicate this issue. I have the full
> environment set up for both working and non-working kernel versions, so
> please let me know if there's anything else I can provide.
No need, this reproduces easily with this two-line ruleset:
-
On Wed, 2016-07-27 at 18:19 +, Brandon Cazander wrote:
> [1.] One line summary of the problem:
> Using TPROXY together with a DNAT rule (working on older kernels) fails to
> work on newer kernels as of commit 079096f103fa
>
> [2.] Full description of the problem/report:
> I performed a git bi
[1.] One line summary of the problem:
Using TPROXY together with a DNAT rule (working on older kernels) fails to work
on newer kernels as of commit 079096f103fa
[2.] Full description of the problem/report:
I performed a git bisect using a qemu image to test my example below, and the
bisect ended
11 matches
Mail list logo
