tproxy: kick out TIME_WAIT sockets in case a new connection comes in with the same tuple Without tproxy redirections an incoming SYN kicks out conflicting TIME_WAIT sockets, in order to handle clients that reuse ports within the TIME_WAIT period. The same mechanism didn't work in case TProxy is involved in finding the proper socket, as the time_wait processing code looked up the listening socket assuming that the listener addr/port matches those of the established connection. This is not the case with TProxy as the listener addr/port is possibly changed with the tproxy rule. Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>

commit: 106e4c26b1529e559d1aae777f11b4f8f7bafc26 [log] [tgz]
author: Balazs Scheidler <bazsi@balabit.hu> Thu Oct 21 12:45:14 2010 +0200
committer: Patrick McHardy <kaber@trash.net> Thu Oct 21 12:45:14 2010 +0200
tree: e784c61379e767255bf941f9d78d9ef6e7c58640
parent: d86bef73b4a24e59e7c1f896a72bbf38430ac2c6 [diff] [blame]
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1ca8990..266faa0 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c

@@ -142,7 +142,7 @@
 #endif
 
 	sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
-				   saddr, daddr, sport, dport, par->in, false);
+				   saddr, daddr, sport, dport, par->in, NFT_LOOKUP_ANY);
 	if (sk != NULL) {
 		bool wildcard;
 		bool transparent = true;
commit	106e4c26b1529e559d1aae777f11b4f8f7bafc26	[log] [tgz]
author	Balazs Scheidler <bazsi@balabit.hu>	Thu Oct 21 12:45:14 2010 +0200
committer	Patrick McHardy <kaber@trash.net>	Thu Oct 21 12:45:14 2010 +0200
tree	e784c61379e767255bf941f9d78d9ef6e7c58640
parent	d86bef73b4a24e59e7c1f896a72bbf38430ac2c6 [diff] [blame]