Re: netfilter expected behavior for established connections

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: netfilter expected behavior for established connections
Date: Wed, 12 Mar 2025 08:11:48 +0100	[thread overview]
Message-ID: <20250312071148.GA11288@breakpoint.cc> (raw)
In-Reply-To: <CABhP=tYOynShd82rwVuDMJDTE8LcM6+FHwx7Tfuk183EW+ipPA@mail.gmail.com>

Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> Hi,
> 
> I'm puzzled trying to understand the following behavior, appreciate it
> if you can help me to understand better how this works.
> 
> The setup is like this:  Client --- Router --- Server
> 
> - Router DNATs to a Virtual IP and Port of the Server.
> - Client establishes a permanent connection to the Virtual IP.
> - Router adds a REJECT rule in the FORWARD hook for the Server IP
> 
> I expect the REJECT to match the established connection, but the
> client keeps reaching the Server using the existing connection.
> 
> The packets of the established connection do not show up on the traces
> using nftrace.
> 
> Is it possible to "DROP/REJECT" the established connection ?
> 
> I've created a selftest to reproduce this behavior, please find it attached.

Unfortuntely this selftest passes for me.

PASS: ns1-apNbtu can reach ns2-VgBo5h
PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to ns2
PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> 2025/03/12 08:10:58.000388001  length=5 from=0 to=4
PING
< 2025/03/12 08:10:58.000388848  length=5 from=0 to=4
PING
PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip
PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
PASS: test_ip_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2)
PASS: test_ip_conntrack_reject_established: ns1 connection to vip is closed (ns2)
PASS: test_ip_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2)
PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to ns2
PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> 2025/03/12 08:11:00.000519768  length=5 from=0 to=4
PING
< 2025/03/12 08:11:00.000520866  length=5 from=0 to=4
PING
PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip
PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
PASS: test_ip6_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2)
PASS: test_ip6_conntrack_reject_established: ns1 connection to vip is closed (ns2)
PASS: test_ip6_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2)

Linux 6.13.5-200.fc41.x86_64
nftables v1.0.9 (Old Doc Yak #3)

next prev parent reply	other threads:[~2025-03-12  7:11 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-11 23:56 netfilter expected behavior for established connections Antonio Ojea
2025-03-12  0:30 ` imnozi
2025-03-12  7:11 ` Florian Westphal [this message]
2025-03-12 10:55   ` Antonio Ojea
2025-03-12 12:51     ` Florian Westphal
2025-03-12 13:04       ` Antonio Ojea
2025-03-12 14:17         ` Antonio Ojea
2025-03-12 14:25           ` Florian Westphal
2025-03-12 16:13 ` Florian Westphal
2025-03-12 18:02   ` Antonio Ojea
2025-03-12 18:20     ` Florian Westphal
2025-03-12 18:29       ` Antonio Ojea
2025-03-13 23:23         ` Antonio Ojea

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250312071148.GA11288@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=antonio.ojea.garcia@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.