On Wed, 12 Mar 2025 at 08:11, Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote:
> > Hi,
> >
> > I'm puzzled trying to understand the following behavior, appreciate it
> > if you can help me to understand better how this works.
> >
> > The setup is like this: Client --- Router --- Server
> >
> > - Router DNATs to a Virtual IP and Port of the Server.
> > - Client establishes a permanent connection to the Virtual IP.
> > - Router adds a REJECT rule in the FORWARD hook for the Server IP
> >
> > I expect the REJECT to match the established connection, but the
> > client keeps reaching the Server using the existing connection.
> >
> > The packets of the established connection do not show up on the traces
> > using nftrace.
> >
> > Is it possible to "DROP/REJECT" the established connection ?
> >
> > I've created a selftest to reproduce this behavior, please find it attached.
>
> Unfortuntely this selftest passes for me.
>
> PASS: ns1-apNbtu can reach ns2-VgBo5h
> PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to ns2
> PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> > 2025/03/12 08:10:58.000388001 length=5 from=0 to=4
> PING
> < 2025/03/12 08:10:58.000388848 length=5 from=0 to=4
> PING
> PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip
> PASS: test_ip_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> PASS: test_ip_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2)
> PASS: test_ip_conntrack_reject_established: ns1 connection to vip is closed (ns2)
> PASS: test_ip_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2)
> PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to ns2
> PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> > 2025/03/12 08:11:00.000519768 length=5 from=0 to=4
> PING
> < 2025/03/12 08:11:00.000520866 length=5 from=0 to=4
> PING
> PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip
> PASS: test_ip6_conntrack_reject_established: ns1 got reply "PING" connecting to vip using persistent connection
> PASS: test_ip6_conntrack_reject_established: ns1 got "Connection refused" connecting to vip (ns2)
> PASS: test_ip6_conntrack_reject_established: ns1 connection to vip is closed (ns2)
> PASS: test_ip6_conntrack_reject_established: ns1 got no response and client is closed to vip (ns2)
>
> Linux 6.13.5-200.fc41.x86_64
> nftables v1.0.9 (Old Doc Yak #3)
I've tried to debug this further, I did:
1. Install a trace rule but the subsequent packets on the established
connection does not show in the trace
chain input {
type filter hook prerouting priority -301; policy accept;
ip protocol tcp meta nftrace set 1
}
2. run ./pwru --output-tuple --output-meta tcp port 8080, and this is
the only output I got when I send data over the established connection
0xffffa20289e39600 38 ~bin/socat1:3357 0 0 0
0x0800 0 10 10.0.4.10:8080->10.0.1.99:12345(tcp)
__skb_clone
0xffffa20289e39600 38 ~bin/socat1:3357 0 0 0
0x0800 0 10 10.0.4.10:8080->10.0.1.99:12345(tcp)
__copy_skb_header
0xffffa20289e39b80 38 ~bin/socat1:3357 0 0 0
0x0800 0 0 10.0.4.10:8080->10.0.1.99:12345(tcp)
napi_consume_skb
0xffffa20289e39b80 38 ~bin/socat1:3357 0 0 0
0x0800 0 0 10.0.4.10:8080->10.0.1.99:12345(tcp)
skb_release_head_state
0xffffa20289e39b80 38 ~bin/socat1:3357 0 0 0
0x0800 0 0 10.0.4.10:8080->10.0.1.99:12345(tcp)
skb_release_data
0xffffa20289e39b80 38 ~bin/socat1:3357 0 0 0
0x0800 0 0 10.0.4.10:8080->10.0.1.99:12345(tcp)
skb_free_head
0xffffa20289e39b80 38 ~bin/socat1:3357 0 0 0
0x0800 0 0 10.0.4.10:8080->10.0.1.99:12345(tcp)
kfree_skbmem
Is there some kind of optimization that just directly copies the data
without going through netfilter hooks or am I doing something wrong?
