Bug 7716

Summary: change in behavior of OUTPUT chain reject rule in 2.6.19?
Product: Networking Reporter: Mike Accetta (maccetta)
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Status: CLOSED CODE_FIX    
Severity: normal CC: bunk, cw
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.19 Subsystem:
Regression: --- Bisected commit-id:
Attachments: Fix output routing
Fix output routing

Description Mike Accetta 2006-12-19 19:53:36 UTC 
Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject
rule on the OUTPUT chain no longer causes a connection attempt to abort
immediately with "Connection refused".  As a specific example, this rule

iptables -A  OUTPUT -p tcp --destination-port 23 \
  --destination 10.0.20.1  -j REJECT --reject-with tcp-reset

will cause a telnet connection to 10.0.20.1 to fail immediately under
2.6.18 but will take minutes to timeout under 2.6.19.  A "git bisect"
identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the
culprit.  The change description gives no hint that this effect was
intended.  Is this a regression?
Comment 1 Andrew Morton 2006-12-19 20:03:31 UTC 
On Tue, 19 Dec 2006 19:58:14 -0800
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=7716
> 
>            Summary: change in behavior of OUTPUT chain reject rule in
>                     2.6.19?
>     Kernel Version: 2.6.19
>             Status: NEW
>           Severity: normal
>              Owner: networking_netfilter-iptables@kernel-bugs.osdl.org
>          Submitter: maccetta@laurelnetworks.com
> 
> 
> Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject
> rule on the OUTPUT chain no longer causes a connection attempt to abort
> immediately with "Connection refused".  As a specific example, this rule
> 
> iptables -A  OUTPUT -p tcp --destination-port 23 \
>   --destination 10.0.20.1  -j REJECT --reject-with tcp-reset
> 
> will cause a telnet connection to 10.0.20.1 to fail immediately under
> 2.6.18 but will take minutes to timeout under 2.6.19.  A "git bisect"
> identifies change 9d02002d2dc2c7423e5891b97727fde4d667adf1 as the
> culprit.  The change description gives no hint that this effect was
> intended.  Is this a regression?
> 
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.
Comment 2 Patrick McHardy 2006-12-22 05:04:45 UTC 
Created attachment 9927 [details]
Fix output routing

Please try if this patch helps.
Comment 3 Patrick McHardy 2006-12-22 05:05:18 UTC 
Created attachment 9928 [details]
Fix output routing

Please try if this patch helps.
Comment 4 Mike Accetta 2007-01-02 20:51:20 UTC 
This patch indeed fixes the above test case with a 2.6.19 kernel for me.

Thank you!
Comment 5 Adrian Bunk 2007-02-25 08:42:44 UTC 
The patch from this bug was included in both 2.6.19.3 and 2.6.20.