commit 2e405726a0c6be6617905522bde9038f75e623c4 Author: Willy Tarreau Date: Wed Jan 23 10:02:15 2019 +0100 DOC: mention the effect of nf_conntrack_tcp_loose on src/dst On rare occasions the logs may report inverted src/dst when using conntrack with this sysctl. Add a mention for it in the doc. More info here : https://www.spinics.net/lists/netdev/msg544878.html (cherry picked from commit 64ded3db2c686bad582cf9bb9fcabf21cb4becb7) Signed-off-by: Willy Tarreau (cherry picked from commit 037f9ac4a2cc4b344859af1cff7b30d5ecabe9e0) Signed-off-by: William Lallemand diff --git a/doc/configuration.txt b/doc/configuration.txt index 72b769a4..bc8ae4f8 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13822,7 +13822,12 @@ dst : ip which is the address the client connected to. It can be useful when running in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to - RFC 4291. + RFC 4291. When the incoming connection passed through address translation or + redirection involving connection tracking, the original destination address + before the redirection will be reported. On Linux systems, the source and + destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl + is set, because a late response may reopen a timed out connection and switch + what is believed to be the source and the destination. dst_conn : integer Returns an integer value corresponding to the number of currently established @@ -14127,7 +14132,13 @@ src : ip behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind directive is used, it can be the address of a client behind another PROXY-protocol compatible component for all rule sets except - "tcp-request connection" which sees the real address. + "tcp-request connection" which sees the real address. When the incoming + connection passed through address translation or redirection involving + connection tracking, the original destination address before the redirection + will be reported. On Linux systems, the source and destination may seldom + appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late + response may reopen a timed out connection and switch what is believed to be + the source and the destination. Example: # add an HTTP header in requests with the originating address' country