[tproxy] tproxy race condition? [RESEND]

jim@minter.demon.co.uk jim@minter.demon.co.uk
Fri, 17 Dec 2004 15:12:41 +0000

Hi Krisztian :o)

>   Ok, do you have any DNAT/MASQUERADE rules in your iptables config? Or
> what kind of NAT rulese do you use?


>   Another shortcoming of the NAT-based operation of tproxy is the
> following: you have to make sure that you do not reuse the _local_
> address before the conntrack entry of the previous connection from that
> address times out. So, if you make a lot of connections from the same
> IP, and the local autobind port range is not enough for you, you'll have
> to use additional local IP addresses as well. (Note that these do not
> need to be routable IP addresses.)

I'm aware of this -- the examples I've put together (see below) are taken immediately after booting the kernel, and problems occur well before the local TCP port range is exhausted.

> > >   _This_ is strange... Could you send me a tcpdump capture of that
> > > traffic and the matching tproxy debug output?
> > 
> > Will do, in a separate post.

I've put together a fine collection of logs and tcpdumps from a 20s run of my test programs.  They show the problem occurring six times and the tar file is 2.2M.  Is there somewhere I can e-mail/FTP this to, for you to see?