Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/net/haproxy/patches/012-DOC-mention-the-effect-of-nf_conntrack_tcp_loose-on-src-dst.patch
Christian Lachner 512411108c haproxy: Update all patches for HAProxy v1.8.17 
- Add new patches (see https://www.haproxy.org/bugs/bugs-1.8.17.html)
- Raise PKG_RELEASE to 2
- Prefix patches with 3-digit numbers instead of 4-digit numbers

Signed-off-by: Christian Lachner <gladiac@gmail.com>
2019-01-31 13:59:35 +01:00

50 lines
2.5 KiB
Diff
Raw Blame History

commit 2e405726a0c6be6617905522bde9038f75e623c4
Author: Willy Tarreau <w@1wt.eu>
Date: Wed Jan 23 10:02:15 2019 +0100
DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
On rare occasions the logs may report inverted src/dst when using
conntrack with this sysctl. Add a mention for it in the doc. More
info here :
https://www.spinics.net/lists/netdev/msg544878.html
(cherry picked from commit 64ded3db2c686bad582cf9bb9fcabf21cb4becb7)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 037f9ac4a2cc4b344859af1cff7b30d5ecabe9e0)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 72b769a4..bc8ae4f8 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13822,7 +13822,12 @@ dst : ip
which is the address the client connected to. It can be useful when running
in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
- RFC 4291.
+ RFC 4291. When the incoming connection passed through address translation or
+ redirection involving connection tracking, the original destination address
+ before the redirection will be reported. On Linux systems, the source and
+ destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
+ is set, because a late response may reopen a timed out connection and switch
+ what is believed to be the source and the destination.
dst_conn : integer
Returns an integer value corresponding to the number of currently established
@@ -14127,7 +14132,13 @@ src : ip
behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
directive is used, it can be the address of a client behind another
PROXY-protocol compatible component for all rule sets except
- "tcp-request connection" which sees the real address.
+ "tcp-request connection" which sees the real address. When the incoming
+ connection passed through address translation or redirection involving
+ connection tracking, the original destination address before the redirection
+ will be reported. On Linux systems, the source and destination may seldom
+ appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
+ response may reopen a timed out connection and switch what is believed to be
+ the source and the destination.
Example:
# add an HTTP header in requests with the originating address' country
Reference in a new issue View git blame Copy permalink