From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: netfilter expected behavior for established connections
Date: Wed, 12 Mar 2025 17:13:24 +0100 [thread overview]
Message-ID: <20250312161324.GB28069@breakpoint.cc> (raw)
In-Reply-To: <CABhP=tYOynShd82rwVuDMJDTE8LcM6+FHwx7Tfuk183EW+ipPA@mail.gmail.com>
Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> I'm puzzled trying to understand the following behavior, appreciate it
> if you can help me to understand better how this works.
>
> The setup is like this: Client --- Router --- Server
>
> - Router DNATs to a Virtual IP and Port of the Server.
> - Client establishes a permanent connection to the Virtual IP.
> - Router adds a REJECT rule in the FORWARD hook for the Server IP
>
> I expect the REJECT to match the established connection, but the
> client keeps reaching the Server using the existing connection.
>
> The packets of the established connection do not show up on the traces
> using nftrace.
>
> Is it possible to "DROP/REJECT" the established connection ?
>
> I've created a selftest to reproduce this behavior, please find it attached.
Are you sure this script works as intended?
Doing:
socat tcp-listen:12345,fork PIPE &
socat PIPE:P tcp:127.0.0.1:12345 &
echo foo > P
... causes endless traffic, since listener echoes
P back, that gets written to P, socat reads from it,
eches foo to server, that sends to client, ...
Probably you need to use:
socat -u PIPE:P,rdonly ... ?
This config change is also needed:
--- a/tools/testing/selftests/net/netfilter/config
+++ b/tools/testing/selftests/net/netfilter/config
@@ -81,6 +81,7 @@ CONFIG_NFT_NUMGEN=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REDIR=m
+CONFIG_NFT_REJECT=m
since thats the kernel feature template used by the netdev ci to
build the test kernel to use.
Another issue: cwd might be readonly, so creating pipe.test will fail.
I suggest to use
pipename=$(mktemp -u)
so the named fifo is created in /tmp which is writeable.
next prev parent reply other threads:[~2025-03-12 16:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-11 23:56 netfilter expected behavior for established connections Antonio Ojea
2025-03-12 0:30 ` imnozi
2025-03-12 7:11 ` Florian Westphal
2025-03-12 10:55 ` Antonio Ojea
2025-03-12 12:51 ` Florian Westphal
2025-03-12 13:04 ` Antonio Ojea
2025-03-12 14:17 ` Antonio Ojea
2025-03-12 14:25 ` Florian Westphal
2025-03-12 16:13 ` Florian Westphal [this message]
2025-03-12 18:02 ` Antonio Ojea
2025-03-12 18:20 ` Florian Westphal
2025-03-12 18:29 ` Antonio Ojea
2025-03-13 23:23 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250312161324.GB28069@breakpoint.cc \
--to=fw@strlen.de \
--cc=antonio.ojea.garcia@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.