[tproxy] (no subject)

KOVACS Krisztian hidden@balabit.hu
Fri, 10 Oct 2003 10:28:23 +0200


   Hi,

Jon Nelson wrote:
> Problem #1: assume a process has gone through the steps of locally
> binding, calling setsockopt(ASSIGN) and setsockopt(LISTEN|ONCE) but has
> /not/ called 'listen' on the socket.
> 
> If the process ends abruptly, the iptable_tproxy module refuses to
> unhash the socket:
> 
> IP_TPROXY_UNASSIGN: not unhashing socket, 0100007f:2080, sr=c083c100,
> proto=6, sk->state=7, sr->flags=10003
> 
> The relevant code is near line 868, and I believe the test:
> 
> (sk->state != TCP_LISTEN)
> 
> is too specific.  In the above sock, the state was TCP_CLOSE.
> 
> Should TCP_CLOSE, TCP_CLOSE_WAIT, and/or TCP_CLOSING
> be added (I'm inclined to think that /just/ TCP_CLOSE)?

   Thanks for reporting, this is really an ugly bug. However, I don't 
really like adding TCP_CLOSE to the tests. The whole test has the purpose 
of differentiating between TCP listening sockets and sockets which are 
used by accepted connections. (You should not free the sockref in the 
second case.) Your proposed patch would not solve all these ugly problems, 
for example: if you ASSIGN a foreign address to the socket, set it 
ITP_LISTEN, and then instead of listen() you call connect(), and close() 
the socket. Although correct user-space software would not do this, it 
causes the tproxy hash to fill up... It looks like we need another way to 
differentiate between these type of sockets.

   The problem is already fixed in the just released development version 
of the patch, and will be fixed in the next stable version, also.

> Issue #2: assume a machine with 4 interfaces (if you include lo).
> Binding locally to any of the 3 non-lo addresses works just fine.
> However, why does (the initial local) binding to either 0 (INADDR_ANY)
> or 127.0.0.1 not work?

   It's because of the inner workings of Netfilter, although it certainly 
would be useful to have this working... For now, you should bind to non-lo 
addresses. (If this causes problems, try using a dummy net interface with 
a fake IP.)

-- 
   Regards,
     Krisztian KOVACS