[tproxy] [tproxy,regression] tproxy broken in 2.6.32

KOVACS Krisztian hidden at balabit.hu
Mon Nov 30 13:45:29 CET 2009


On Mon, 2009-11-30 at 07:15 -0500, jamal wrote:
> On Sun, 2009-11-29 at 21:35 +0100, KOVACS Krisztian wrote:
> > The story is that we really do want to deliver these packets locally, as
> > if the destination IP address was locally configured on the host. The only
> > way I know of to get the packet to ip_local_deliver() is by using a local
> > route.
> Aha, now i understand where both you and Patrick are coming from. So
> you literally have to hit the main(or default) table in the reverse
> source validation. How does the workaround (that you suggested) work
> then? i.e you are going to fail the RTN_UNICAST test no matter what.

No, because by narrowing the rule to specific ingress interfaces the
lookup done in fib_validate_source() won't match the rule(s) (because
the flow used will have iif set to the loopback device), and thus it
will look up the main table and select a unicast route.

> Dave, give me some short time to mull this over. I am not sure i like
> the sysctl approach - we may have to just revert the whole thing
> instead.

I don't think it would be unreasonable to add a sysctl but disable the
feature by default. It's up to you, of course.


More information about the tproxy mailing list