Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject rule on the OUTPUT chain no longer causes a connection attempt to abort immediately with "Connection refused". As a specific example, this rule iptables -A OUTPUT -p tcp --destination-port 23 \ --destination 10.0.20.1 -j REJECT --reject-with tcp-reset will cause a telnet connection to 10.0.20.1 to fail immediately under 2.6.18 but will take minutes to timeout under 2.6.19. A "git bisect" identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the culprit. The change description gives no hint that this effect was intended. Is this a regression?
On Tue, 19 Dec 2006 19:58:14 -0800 bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=7716 > > Summary: change in behavior of OUTPUT chain reject rule in > 2.6.19? > Kernel Version: 2.6.19 > Status: NEW > Severity: normal > Owner: networking_netfilter-iptables@kernel-bugs.osdl.org > Submitter: maccetta@laurelnetworks.com > > > Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject > rule on the OUTPUT chain no longer causes a connection attempt to abort > immediately with "Connection refused". As a specific example, this rule > > iptables -A OUTPUT -p tcp --destination-port 23 \ > --destination 10.0.20.1 -j REJECT --reject-with tcp-reset > > will cause a telnet connection to 10.0.20.1 to fail immediately under > 2.6.18 but will take minutes to timeout under 2.6.19. A "git bisect" > identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the > culprit. The change description gives no hint that this effect was > intended. Is this a regression? > > ------- You are receiving this mail because: ------- > You are on the CC list for the bug, or are watching someone who is.
Created attachment 9927 [details] Fix output routing Please try if this patch helps.
Created attachment 9928 [details] Fix output routing Please try if this patch helps.
This patch indeed fixes the above test case with a 2.6.19 kernel for me. Thank you!
The patch from this bug was included in both 2.6.19.3 and 2.6.20.