change in behavior of OUTPUT chain rule in 2.6.19

change in behavior of OUTPUT chain rule in 2.6.19

[Mike Accetta]

Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject 
rule on the OUTPUT chain no longer causes a connection attempt to abort 
immediately with "Connection refused".  As a specific example, this rule

iptables -A  OUTPUT -p tcp --destination-port 23 \
   --destination 10.0.20.1  -j REJECT --reject-with tcp-reset

will cause a telnet connection to 10.0.20.1 to fail immediately under 
2.6.18 but will take minutes to timeout under 2.6.19.  Is this an 
intended change in functionality or a regression?  This is all using 
iptables-1.2.7a.
-- 
Mike Accetta
(mail address must be adjusted "appropriately" to reply)

ECI Telecom Ltd.
Data Networking Division (previously Laurel Networks)

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Jan Engelhardt]

On Dec 14 2006 13:30, Mike Accetta wrote:
>
> Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject rule on
> the OUTPUT chain no longer causes a connection attempt to abort immediately
> with "Connection refused".  As a specific example, this rule
>
> iptables -A  OUTPUT -p tcp --destination-port 23 \
> --destination 10.0.20.1  -j REJECT --reject-with tcp-reset

I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?


	Jan
-- 

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Mike Accetta]

Jan Engelhardt writes:
> On Dec 14 2006 13:30, Mike Accetta wrote:
> >
> > Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject rule 
> on
> > the OUTPUT chain no longer causes a connection attempt to abort immediately
> > with "Connection refused".  As a specific example, this rule
> >
> > iptables -A  OUTPUT -p tcp --destination-port 23 \
> > --destination 10.0.20.1  -j REJECT --reject-with tcp-reset
> 
> I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?

This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20.

Did I mess up by not also confirming back to the list that the bug was
fixed by the patch provided by Patrick?  I think at the time I just
moved it to Bugzilla because the list post had produced no reaction.
--
Mike Accetta

ECI Telecom Ltd.
Data Networking Division (previously Laurel Networks)

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Jan Engelhardt]

On May 31 2007 16:09, Mike Accetta wrote:
>> >
>> > iptables -A  OUTPUT -p tcp --destination-port 23 \
>> > --destination 10.0.20.1  -j REJECT --reject-with tcp-reset
>> 
>> I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?
>
>This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20.
>
>Did I mess up by not also confirming back to the list that the bug was
>fixed by the patch provided by Patrick?  I think at the time I just
>moved it to Bugzilla because the list post had produced no reaction.

Well yeah I was kinda lazy to check it out myself, so the mail just
remained in the lkml folder until today when I felt like -- oh try
that yourself now that you have some production box >= 2.6.19
somewhere.


	Jan
-- 

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Jan Engelhardt]

On May 31 2007 23:01, Jan Engelhardt wrote:
>On May 31 2007 16:09, Mike Accetta wrote:
>>> >
>>> > iptables -A  OUTPUT -p tcp --destination-port 23 \
>>> > --destination 10.0.20.1  -j REJECT --reject-with tcp-reset
>>> 
>>> I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?
>>
>>This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20.
>>
>>Did I mess up by not also confirming back to the list that the bug was
>>fixed by the patch provided by Patrick?  I think at the time I just
>>moved it to Bugzilla because the list post had produced no reaction.
>
>Well yeah I was kinda lazy to check it out myself, so the mail just
>remained in the lkml folder until today when I felt like -- oh try
>that yourself now that you have some production box >= 2.6.19
>somewhere.

(No, you did not mess up. Posting is not compulsory.)


	Jan
-- 

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Patrick McHardy]

Mike Accetta wrote:
> Jan Engelhardt writes:
> 
>>On Dec 14 2006 13:30, Mike Accetta wrote:
>>
>>>Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject rule 
>>
>>on
>>
>>>the OUTPUT chain no longer causes a connection attempt to abort immediately
>>>with "Connection refused".  As a specific example, this rule
>>>
>>>iptables -A  OUTPUT -p tcp --destination-port 23 \
>>>--destination 10.0.20.1  -j REJECT --reject-with tcp-reset
>>
>>I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?
> 
> 
> This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20.


The patch was also sent to -stable, I think its in 2.6.19.3.

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Jan Engelhardt]

On Jun 1 2007 17:41, Patrick McHardy wrote:
>>>>
>>>>iptables -A  OUTPUT -p tcp --destination-port 23 \
>>>>--destination 10.0.20.1  -j REJECT --reject-with tcp-reset
>>>
>>>I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel?
>> 
>> This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20.
>
>The patch was also sent to -stable, I think its in 2.6.19.3.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=7716

Software error:

DBD::mysql::st execute failed: Unknown column 'products.classification_id' in
'where clause' [for Statement "SELECT products.name, classifications.name FROM
products, classifications WHERE classifications.id = products.classification_id
ORDER BY classifications.name"] at Bugzilla/DB.pm line 84
	Bugzilla::DB::SendSQL('SELECT products.name, classifications.name FROM
products, cla...') called at globals.pl line 140
	main::GenerateVersionTable() called at globals.pl line 312
	main::GetVersionTable() called at
/var/www/bugzilla.netfilter.org/htdocs/bugzilla/show_bug.cgi line 60

For help, please send mail to the webmaster (webmaster@netfilter.org), giving
this error message and the time and date of the error. 

Sat Jun  2 14:46:26 CEST 2007



	Jan
-- 

Re: change in behavior of OUTPUT chain rule in 2.6.19

[Patrick McHardy]

Jan Engelhardt wrote:
> https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=7716
> 
> Software error:
> 
> DBD::mysql::st execute failed: Unknown column 'products.classification_id' in
> 'where clause' [for Statement "SELECT products.name, classifications.name FROM
> products, classifications WHERE classifications.id = products.classification_id
> ORDER BY classifications.name"] at Bugzilla/DB.pm line 84
> 	Bugzilla::DB::SendSQL('SELECT products.name, classifications.name FROM
> products, cla...') called at globals.pl line 140
> 	main::GenerateVersionTable() called at globals.pl line 312
> 	main::GetVersionTable() called at
> /var/www/bugzilla.netfilter.org/htdocs/bugzilla/show_bug.cgi line 60
> 
> For help, please send mail to the webmaster (webmaster@netfilter.org), giving
> this error message and the time and date of the error. 
> 
> Sat Jun  2 14:46:26 CEST 2007


Well, gentoo is a pile of crap.