tproxy bug in haproxy-1.5.10

Wed, 14 Jan 2015 17:10:55 -0800 

Hi,
I wanted to report a nasty bug I discovered today:
Portforwarding to a different IP on the same haproxy-box causes haproxy behave buggy. 
This error happens when one uses the TPROXY target for portforwarding,
ie. like this:

Let's say the IP of the main interface is 192.168.100.100,
and traffic from outside to port 1234 shall be forwarded
to a virtual IP 192.168.100.101 and port 5678 on the same host, ie:

auto eth0
allow-hotplug eth0
iface eth0 inet static
  address   192.168.100.100
  netmask   255.255.255.0
  broadcast 192.168.100.255
  gateway   192.168.100.254
  metric    1
  up   ip addr add 192.168.100.101/32 dev eth0 label eth0:101
  down ip addr del 192.168.100.101/32 dev eth0 label eth0:101

...
iptables -t mangle -A PREROUTING -p tcp --dport 1234 -j TPROXY --tproxy-mark 666 --on-ip 192.168.100.101 --on-port 5678
When REDIRECT instead of TPROXY is used then it works, but with that one can forward only to another port of the main IP (192.168.100.100) of the interface, ie. here eth0. 

I can confirm this bug because putting a different transparent proxy program
(actually my own test program) at the same IP:Port works fine with such portforwardings. 

My environment:
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt2-1 (2014-12-08) x86_64 GNU/Linux, ie. Debian 8 
I compiled haproxy myself w/o any modifications:

# ./haproxy -vv
HA-Proxy version 1.5.10 2014/12/31
Copyright 2000-2014 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux26
  CPU     = x86_64
  CC      = gcc
  CFLAGS  = -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built without OpenSSL support (USE_OPENSSL not set)
Built with PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND 

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Reply via email to