From: Florian Westphal <fw@strlen.de>
To: Brandon Cazander <brandon.cazander@multapplied.net>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"edumazet@google.com" <edumazet@google.com>
Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)
Date: Thu, 28 Jul 2016 16:48:32 +0200 [thread overview]
Message-ID: <20160728144832.GA26237@breakpoint.cc> (raw)
In-Reply-To: <BL2PR07MB2306908C76E928619A24B52E9E0F0@BL2PR07MB2306.namprd07.prod.outlook.com>
Brandon Cazander <brandon.cazander@multapplied.net> wrote:
> Hopefully that's enough detail to replicate this issue. I have the full environment set up for both working and non-working kernel versions, so please let me know if there's anything else I can provide.
No need, this reproduces easily with this two-line ruleset:
-t nat -A PREROUTING -d 192.168.7.20/32 -i eth0 -j DNAT --to-destination 192.168.8.1
-t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j TPROXY --on-port 9876 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
AFAIU the problem is this:
SYN:
1. -j TPROXY finds listen sk, redirects to it
2. DNAT takes place (iphdr(skb)->daddr is mangled).
3. tcp stack puts request sk into ehash table.
Note that the ehash entry uses the updated/dnatted address.
ACK:
1. -j TPROXY finds no established or request socket
since it uses iph->daddr but ehash contains dnatted-to address
... so we redirect to the listener socket.
Before the ehash change, for skb to listen sk the kernel
used to search both the listener socket request queue and
the ehash table, using the iphdr daddr (which at this point
is the DNAT'ed address). So this used to work because this
returns the request sk.
After the ehash change we only check syn cookie and will then
emit a reset.
Eric, AFAICS the only solution for this is to extend
TPROXY and obtain the lookup saddr/daddr info from the conntrack
entry instead of the ip headers, which should make this work again.
Do you agree?
Any other suggestions?
Thanks!
next prev parent reply other threads:[~2016-07-28 15:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 18:19 PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa) Brandon Cazander
2016-07-27 19:01 ` Eric Dumazet
2016-07-28 14:48 ` Florian Westphal [this message]
2016-07-29 13:21 ` Florian Westphal
2016-08-02 21:58 ` Brandon Cazander
[not found] ` <BL2PR07MB2306B2B920C441DF5406B1439E050@BL2PR07MB2306.namprd07.prod.outlook.com>
[not found] ` <20160802221121.GB31209@breakpoint.cc>
2016-08-03 15:47 ` Brandon Cazander
2016-08-12 15:35 ` Brandon Cazander
2016-08-12 19:03 ` Florian Westphal
2016-08-15 16:28 ` Brandon Cazander
2016-09-06 16:41 ` Brandon Cazander
2016-09-06 22:57 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160728144832.GA26237@breakpoint.cc \
--to=fw@strlen.de \
--cc=brandon.cazander@multapplied.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).