7716 – change in behavior of OUTPUT chain reject rule in 2.6.19?

Bug 7716 - change in behavior of OUTPUT chain reject rule in 2.6.19?

Summary: change in behavior of OUTPUT chain reject rule in 2.6.19?

Status:	CLOSED CODE_FIX

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	Netfilter/Iptables (show other bugs)
Hardware:	i386 Linux

Importance:	P2 normal
Assignee:	networking_netfilter-iptables@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-12-19 19:53 UTC by Mike Accetta
Modified:	2007-02-25 08:42 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	2.6.19
Subsystem:
Regression:	---
Bisected commit-id:

Attachments
Fix output routing (1.55 KB, patch) 2006-12-22 05:04 UTC, Patrick McHardy	Details \| Diff
Fix output routing (1.55 KB, patch) 2006-12-22 05:05 UTC, Patrick McHardy	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Mike Accetta 2006-12-19 19:53:36 UTC

Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject
rule on the OUTPUT chain no longer causes a connection attempt to abort
immediately with "Connection refused".  As a specific example, this rule

iptables -A  OUTPUT -p tcp --destination-port 23 \
  --destination 10.0.20.1  -j REJECT --reject-with tcp-reset

will cause a telnet connection to 10.0.20.1 to fail immediately under
2.6.18 but will take minutes to timeout under 2.6.19.  A "git bisect"
identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the
culprit.  The change description gives no hint that this effect was
intended.  Is this a regression?

Comment 1 Andrew Morton 2006-12-19 20:03:31 UTC

On Tue, 19 Dec 2006 19:58:14 -0800
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=7716
> 
>            Summary: change in behavior of OUTPUT chain reject rule in
>                     2.6.19?
>     Kernel Version: 2.6.19
>             Status: NEW
>           Severity: normal
>              Owner: networking_netfilter-iptables@kernel-bugs.osdl.org
>          Submitter: maccetta@laurelnetworks.com
> 
> 
> Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject
> rule on the OUTPUT chain no longer causes a connection attempt to abort
> immediately with "Connection refused".  As a specific example, this rule
> 
> iptables -A  OUTPUT -p tcp --destination-port 23 \
>   --destination 10.0.20.1  -j REJECT --reject-with tcp-reset
> 
> will cause a telnet connection to 10.0.20.1 to fail immediately under
> 2.6.18 but will take minutes to timeout under 2.6.19.  A "git bisect"
> identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the
> culprit.  The change description gives no hint that this effect was
> intended.  Is this a regression?
> 
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.

Comment 2 Patrick McHardy 2006-12-22 05:04:45 UTC

Created attachment 9927 [details]
Fix output routing

Please try if this patch helps.

Comment 3 Patrick McHardy 2006-12-22 05:05:18 UTC

Created attachment 9928 [details]
Fix output routing

Please try if this patch helps.

Comment 4 Mike Accetta 2007-01-02 20:51:20 UTC

This patch indeed fixes the above test case with a 2.6.19 kernel for me.

Thank you!

Comment 5 Adrian Bunk 2007-02-25 08:42:44 UTC

The patch from this bug was included in both 2.6.19.3 and 2.6.20.

Note You need to log in before you can comment on or make changes to this bug.