← Back to team overview

kernel-packages team mailing list archive

[Bug 1234877] Re: ip6tables - --reject-with tcp-reset does not work correctly in chain OUTPUT

 

Please include patch in the first comment.  It resolves this problem on
kernels >=3.5

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1234877

Title:
  ip6tables - --reject-with tcp-reset does not work correctly in chain
  OUTPUT

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  We use:

  Description:	Ubuntu 12.04.3 LTS
  Release:	12.04

  kernel 3.2.2 (checked also 3.8* and 3.10.5-031005-generic kernels. Same.)
  iptables=1.4.12-1ubuntu5
  and ipv6

  We noticed that --reject-with tcp-reset works 7 seconds:

  ip6tables -I OUTPUT -p tcp --dport 10001 -j REJECT --reject-with tcp-reset
  such rule

  ip6tables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  REJECT     tcp      anywhere             anywhere             tcp dpt:10001 reject-with tcp-reset

  time telnet <ourlovelyipv6onlyserver> 10001
  Trying 2a02:6b8:0:c10*...
  telnet: Unable to connect to remote host: Connection timed out

  real	0m7.012s
  user	0m0.000s
  sys	0m0.000s

  Rule works:

  ip6tables -vL
  Chain INPUT (policy ACCEPT 506 packets, 49495 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain OUTPUT (policy ACCEPT 346 packets, 37392 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      3   216 REJECT     tcp      any    any     anywhere             anywhere             tcp dpt:10001 reject-with tcp-reset

  Tcpdump is empty. Packet counter increases. All well.
  But it works 7 seconds

  iptables does the same within 0.005s

  I think this is a bug.

  Thank you.
  Have a nice day.
  --- 
  AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.25.
  ApportVersion: 2.0.1-0ubuntu17.1
  Architecture: amd64
  ArecordDevices:
   **** List of CAPTURE Hardware Devices ****
   card 0: PCH [HDA Intel PCH], device 0: ALC269VC Analog [ALC269VC Analog]
     Subdevices: 1/1
     Subdevice #0: subdevice #0
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  katyavoid   3072 F.... pulseaudio
  CRDA:
   country RU:
   	(2402 - 2482 @ 40), (N/A, 20)
   	(5735 - 5835 @ 20), (N/A, 30)
  Card0.Amixer.info:
   Card hw:0 'PCH'/'HDA Intel PCH at 0xf0700000 irq 50'
     Mixer name	: 'Intel PantherPoint HDMI'
     Components	: 'HDA:10ec0269,144dc0d3,00100202 HDA:80862806,80860101,00100000'
     Controls      : 24
     Simple ctrls  : 10
  DistroRelease: Ubuntu 12.04
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=3063eded-5480-466f-aa94-80e7ad79ded3
  InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release amd64 (20130213)
  Lsusb:
   Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
   Bus 001 Device 004: ID 2232:1024
  MachineType: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D
  MarkForUpload: True
  Package: linux (not installed)
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.5.0-26-generic root=UUID=3418390a-f857-4ee2-86ec-f16d01e5014c ro quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6
  RelatedPackageVersions:
   linux-restricted-modules-3.5.0-26-generic N/A
   linux-backports-modules-3.5.0-26-generic  N/A
   linux-firmware                            1.79.1
  Tags:  precise
  Uname: Linux 3.5.0-26-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
  dmi.bios.date: 09/19/2012
  dmi.bios.vendor: Phoenix Technologies Ltd.
  dmi.bios.version: P02ABK
  dmi.board.asset.tag: Base Board Asset Tag
  dmi.board.name: NP900X3C-A03RU
  dmi.board.vendor: SAMSUNG ELECTRONICS CO., LTD.
  dmi.board.version: FAB1
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 9
  dmi.chassis.vendor: SAMSUNG ELECTRONICS CO., LTD.
  dmi.chassis.version: 0.1
  dmi.modalias: dmi:bvnPhoenixTechnologiesLtd.:bvrP02ABK:bd09/19/2012:svnSAMSUNGELECTRONICSCO.,LTD.:pn900X3C/900X3D/900X4C/900X4D:pvr0.1:rvnSAMSUNGELECTRONICSCO.,LTD.:rnNP900X3C-A03RU:rvrFAB1:cvnSAMSUNGELECTRONICSCO.,LTD.:ct9:cvr0.1:
  dmi.product.name: 900X3C/900X3D/900X4C/900X4D
  dmi.product.version: 0.1
  dmi.sys.vendor: SAMSUNG ELECTRONICS CO., LTD.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1234877/+subscriptions