After a kernel update to 3.11 (feat. commit
681f130f39e10087475383e6771b9366e26bab0c) my "generate fake tcp
connections from random ip addresses" app broke, test case as simple as
running (on default gw of victim):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_IP, socket.IP_TRANSPARENT, 1)
s.bind(("5.5.5.5",6666))
s.connect(("192.168.122.46",22))
---
ip route flush table 100
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
---
*mangle
-N DIVERT
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
and the 3-way handshake never finishes. Without -m socket (or with the
new --nowildcard) it does.
Bug, feature or end-user cluelessness? (no problem fixing my ruleset,
but it's still a behaviourial change :P )
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
