[tproxy] tproxy race condition? [RESEND]
jim@minter.demon.co.uk
jim@minter.demon.co.uk
Fri, 17 Dec 2004 15:12:41 +0000
Hi Krisztian :o)
> Ok, do you have any DNAT/MASQUERADE rules in your iptables config? Or
> what kind of NAT rulese do you use?
None!
> Another shortcoming of the NAT-based operation of tproxy is the
> following: you have to make sure that you do not reuse the _local_
> address before the conntrack entry of the previous connection from that
> address times out. So, if you make a lot of connections from the same
> IP, and the local autobind port range is not enough for you, you'll have
> to use additional local IP addresses as well. (Note that these do not
> need to be routable IP addresses.)
I'm aware of this -- the examples I've put together (see below) are taken immediately after booting the kernel, and problems occur well before the local TCP port range is exhausted.
> > > _This_ is strange... Could you send me a tcpdump capture of that
> > > traffic and the matching tproxy debug output?
> >
> > Will do, in a separate post.
I've put together a fine collection of logs and tcpdumps from a 20s run of my test programs. They show the problem occurring six times and the tar file is 2.2M. Is there somewhere I can e-mail/FTP this to, for you to see?
Cheers,
Jim