← Back to team overview

kernel-packages team mailing list archive

[Bug 1234877] [NEW] ip6tables - --reject-with tcp-reset does not work correctly in chain OUTPUT

 

You have been subscribed to a public bug:

Hello,

We use:

Description:	Ubuntu 12.04.3 LTS
Release:	12.04

kernel 3.2.2 (checked also 3.8* and 3.10.5-031005-generic kernels. Same.)
iptables=1.4.12-1ubuntu5
and ipv6

We noticed that --reject-with tcp-reset works 7 seconds:

ip6tables -I OUTPUT -p tcp --dport 10001 -j REJECT --reject-with tcp-reset
such rule

ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp      anywhere             anywhere             tcp dpt:10001 reject-with tcp-reset

time telnet <ourlovelyipv6onlyserver> 10001
Trying 2a02:6b8:0:c10*...
telnet: Unable to connect to remote host: Connection timed out

real	0m7.012s
user	0m0.000s
sys	0m0.000s

Rule works:

ip6tables -vL
Chain INPUT (policy ACCEPT 506 packets, 49495 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 346 packets, 37392 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   216 REJECT     tcp      any    any     anywhere             anywhere             tcp dpt:10001 reject-with tcp-reset

Tcpdump is empty. Packet counter increases. All well.
But it works 7 seconds

iptables does the same within 0.005s

I think this is a bug.

Thank you.
Have a nice day.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: precise
-- 
ip6tables - --reject-with tcp-reset does not work correctly in chain OUTPUT
https://bugs.launchpad.net/bugs/1234877
You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu.