* TPROXY doesn't properly close connections in Linux 2.6.39
@ 2012-10-07 23:38 Brian G
2012-10-08 1:07 ` Brian G
0 siblings, 1 reply; 3+ messages in thread
From: Brian G @ 2012-10-07 23:38 UTC (permalink / raw
To: netfilter
I've been using TPROXY for a transparent HTTP proxy. I've noticed that
it is not closing the connection when the other side does.
The module is marked EXPERIMENTAL in Linux kernel 2.6.39. What is the
oldest version of the Kernel that TPROXY is not marked EXPERIMENTAL, so
I can upgrade to that Kernel? Or is TPROXY still marked EXPERIMENTAL in
the latest kernels?
Why is TPROXY marked as EXPERIMENTAL? Are there any known bugs in 2.6.39?
Here is the firewall script I am using to setup TPROXY:
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 12380
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: TPROXY doesn't properly close connections in Linux 2.6.39
2012-10-07 23:38 TPROXY doesn't properly close connections in Linux 2.6.39 Brian G
@ 2012-10-08 1:07 ` Brian G
2012-10-08 19:04 ` Eliezer Croitoru
0 siblings, 1 reply; 3+ messages in thread
From: Brian G @ 2012-10-08 1:07 UTC (permalink / raw
To: netfilter
I found this changelog on Wed, 19 Oct 2011 07:21:35:
tproxy: copy transparent flag when creating a time wait
The transparent socket option setting was not copied to the time wait
socket when an inet socket was being replaced by a time wait socket. This
broke the --transparent option of the socket match and may have caused
that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state
were being dropped by the packet filter.
Does this look like a fix to the problem I was having? What kernel
version on kernel.org is this patch included in?
On 10/7/2012 6:38 PM, Brian G wrote:
> I've been using TPROXY for a transparent HTTP proxy. I've noticed that
> it is not closing the connection when the other side does.
>
> The module is marked EXPERIMENTAL in Linux kernel 2.6.39. What is the
> oldest version of the Kernel that TPROXY is not marked EXPERIMENTAL,
> so I can upgrade to that Kernel? Or is TPROXY still marked
> EXPERIMENTAL in the latest kernels?
>
> Why is TPROXY marked as EXPERIMENTAL? Are there any known bugs in 2.6.39?
>
> Here is the firewall script I am using to setup TPROXY:
>
> ip -f inet rule add fwmark 1 lookup 100
> ip -f inet route add local default dev eth0 table 100
> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 12380
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: TPROXY doesn't properly close connections in Linux 2.6.39
2012-10-08 1:07 ` Brian G
@ 2012-10-08 19:04 ` Eliezer Croitoru
0 siblings, 0 replies; 3+ messages in thread
From: Eliezer Croitoru @ 2012-10-08 19:04 UTC (permalink / raw
To: Brian G; +Cc: netfilter
On 10/8/2012 3:07 AM, Brian G wrote:
> I found this changelog on Wed, 19 Oct 2011 07:21:35:
>
> tproxy: copy transparent flag when creating a time wait
>
> The transparent socket option setting was not copied to the time wait
> socket when an inet socket was being replaced by a time wait socket. This
> broke the --transparent option of the socket match and may have caused
> that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state
> were being dropped by the packet filter.
>
> Does this look like a fix to the problem I was having? What kernel
> version on kernel.org is this patch included in?
TPROXY is only a socket it wont close itself.. the software should know
the state and other stuff on it and close it.
you should look at the software part to see why it wont close the
connection and move on from there.
Regards,
Eliezer
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-10-08 19:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-07 23:38 TPROXY doesn't properly close connections in Linux 2.6.39 Brian G
2012-10-08 1:07 ` Brian G
2012-10-08 19:04 ` Eliezer Croitoru
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.