Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote: > Hi, > > I'm puzzled trying to understand the following behavior, appreciate it > if you can help me to understand better how this works. > > The setup is like this: Client --- Router --- Server > > - Router DNATs to a Virtual IP and Port of the Server. > - Client establishes a permanent connection to the Virtual IP. > - Router adds a REJECT rule in the FORWARD hook for the Server IP > > I expect the REJECT to match the established connection, but the > client keeps reaching the Server using the existing connection. > > The packets of the established connection do not show up on the traces > using nftrace. > > Is it possible to "DROP/REJECT" the established connection ? > > I've created a selftest to reproduce this behavior, please find it attached. Unfortuntely this selftest passes for me. PASS: ns1-apNbtu can reach ns2-VgBo5h PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to ns2 PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection > 2025/03/12 08:10:58.000388001 length=5 from=0 to=4 PING < 2025/03/12 08:10:58.000388848 length=5 from=0 to=4 PING PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection PASS: test_ip_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2) PASS: test_ip_conntrack_reject_established: ns1 connection to vip is closed (ns2) PASS: test_ip_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2) PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to ns2 PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection > 2025/03/12 08:11:00.000519768 length=5 from=0 to=4 PING < 2025/03/12 08:11:00.000520866 length=5 from=0 to=4 PING PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection PASS: test_ip6_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2) PASS: test_ip6_conntrack_reject_established: ns1 connection to vip is closed (ns2) PASS: test_ip6_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2) Linux 6.13.5-200.fc41.x86_64 nftables v1.0.9 (Old Doc Yak #3)
