On Thu, 2013-10-24 at 14:21 +0300, Pekka Pietikäinen wrote: > On 24/10/13 13:15, Eric Dumazet wrote: > > On Thu, 2013-10-24 at 11:52 +0200, Pablo Neira Ayuso wrote: > >> Hi Pekka, > >> > >> On Tue, Oct 22, 2013 at 04:33:48PM +0300, Pekka Pietikäinen wrote: > >>> After a kernel update to 3.11 (feat. commit > >>> 681f130f39e10087475383e6771b9366e26bab0c) my "generate fake tcp > >>> connections from random ip addresses" app broke. > >> Did you give a try to revert it and things were working back fine? I > >> think the root cause for this behaviour change is not in that patch. > > Yes, given that the option is off by default, I do not really understand > > the issue. > > > > Its true that the option is currently a bit flawed, but my refactoring > > of TCP listener should solve the problem soon. I do not feel necessary > > to 'fix' xt_socket --nowildcard right now. > > > Okie, did some poking, Going to before "use IP early demux" seems to > have found the real cause: > > Old: > > [ 1700.684685] sk->sk_state: 2 > [ 1700.684688] wildcard: 0 transparent: 1, sk != skb->sk 1 > [ 1700.684691] proto 6 192.168.122.93:22 -> 5.5.5.5:45856 (orig > 5.5.5.5:45856) sock ffff8803fb7b1500 > [ 1700.685583] sk->sk_state: 4 > [ 1700.685585] wildcard: 0 transparent: 1, sk != skb->sk 1 > [ 1700.685587] proto 6 192.168.122.93:22 -> 5.5.5.5:45856 (orig > 5.5.5.5:45856) sock ffff8803fb7b1500 > [ 1700.688443] sk->sk_state: 6 > [ 1700.688445] wildcard: 0 transparent: 1, sk != skb->sk 1 > > New: > > [ 1613.960054] sk->sk_state: 7 > [ 1613.960057] wildcard: 1 transparent: 1, sk != skb->sk 0 > [ 1613.960060] proto 6 192.168.122.93:22 -> 5.5.5.5:43540 (orig > 5.5.5.5:43540) sock (null) > [ 1615.511751] sk->sk_state: 7 > [ 1615.511754] wildcard: 1 transparent: 1, sk != skb->sk 0 > [ 1615.511756] proto 6 192.168.122.93:22 -> 5.5.5.5:43540 (orig > 5.5.5.5:43540) sock (null) > [ 1615.963020] sk->sk_state: 7 > [ 1615.963022] wildcard: 1 transparent: 1, sk != skb->sk 0 > [ 1615.963024] proto 6 192.168.122.93:22 -> 5.5.5.5:34950 (orig > 5.5.5.5:34950) sock (null) > [ 1615.963036] sk->sk_state: 7 > [ 1615.963037] wildcard: 1 transparent: 1, sk != skb->sk 0 > [ 1615.963038] proto 6 192.168.122.93:22 -> 5.5.5.5:43540 (orig > 5.5.5.5:43540) sock (null) > sk_state 7 means TCP_CLOSE I do not see how a TCP_CLOSE socket can be matched... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
