Balazs Scheidler <bazsi@xxxxxxxxxx> wrote:
> the destination port in the packet can be different in the two lookups. --on-port tproxy option.
Hrm... The initial lookup uses the header ip addresses:
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
iph->saddr, iph->daddr,
hp->source, hp->dest,
skb->dev, NFT_LOOKUP_ESTABLISHED);
3 possible cases:
- no socket -- try to find listener. This case is not changed by my patch.
- sk is normal socket. set nfmark and skb->sk. Also not changed.
- sk is in TW state. This is not changed either:
tproxy_handle_time_wait4() will check if this is a SYN. If it is, a new
listener lookup is made, and TW socket is kicked out.
If the packet is not a SYN, then tproxy_handle_time_wait4() won't do anything.
Previously, the timewait sk would now be assigned to skb->sk, which my patch
prevents. But I don't see where the '--on-port' port number is involved in the
TW socket lookup?
Thanks for reviwing the patch!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
