Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

Brandon Cazander wrote: [ cc netfilter-devel ] > Sorry to resurrect this so much later—I just got back from holidays and this > was still on my desk. > > Will anyone have another chance to look at this? It appears that the DIVERT > rule is not working in our

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

. From: Brandon Cazander Sent: Monday, August 15, 2016 9:28 AM To: Florian Westphal Cc: netdev@vger.kernel.org; Eric Dumazet Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)   I can recreate the issue with these rules: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

I can recreate the issue with these rules: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j TPROXY --on-port 9876 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 iptables -t nat -A PREROUTING -d 192.168.7.20/32 -i

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

Brandon Cazander wrote: > Is there anything I can provide or do to help get this issue fixed? Even with > the patch provided, our application is still broken. [..] > I think that it is worth doing, as the original kernel change broke my user > space program

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

differently than the other setup so I need to look into that. But it definitely worked before the changes to the kernel. From: Florian Westphal <f...@strlen.de> Sent: Tuesday, August 2, 2016 3:11 PM To: Brandon Cazander Cc: Florian Westphal Subject: Re: PROBLEM: TPROXY and DNAT broken (bi

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

need to look into that. But it definitely worked before the changes to the kernel. From: Florian Westphal <f...@strlen.de> Sent: Tuesday, August 2, 2016 3:11 PM To: Brandon Cazander Cc: Florian Westphal Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)   Brandon Ca

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

an Westphal <f...@strlen.de> Sent: Friday, July 29, 2016 6:21 AM To: Brandon Cazander Cc: netdev@vger.kernel.org; eduma...@google.com Subject: Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)   Brandon Cazander <brandon.cazan...@multapplied.net> wrote: > * When it fails

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

Brandon Cazander wrote: > * When it fails, no traffic hits the WEBSERVER. A tcpdump on the bad kernel > shows: > root@dons-qemu-new-kernel:~# tcpdump -niany tcp and port 8080 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

Brandon Cazander wrote: > Hopefully that's enough detail to replicate this issue. I have the full > environment set up for both working and non-working kernel versions, so > please let me know if there's anything else I can provide. No need, this reproduces

Re: PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

On Wed, 2016-07-27 at 18:19 +, Brandon Cazander wrote: > [1.] One line summary of the problem: > Using TPROXY together with a DNAT rule (working on older kernels) fails to > work on newer kernels as of commit 079096f103fa > > [2.] Full description of the problem/report: > I performed a git

PROBLEM: TPROXY and DNAT broken (bisected to 079096f103fa)

[1.] One line summary of the problem: Using TPROXY together with a DNAT rule (working on older kernels) fails to work on newer kernels as of commit 079096f103fa [2.] Full description of the problem/report: I performed a git bisect using a qemu image to test my example below, and the bisect