Mohandass, Roobesh <roobesh_mohand...@mcafee.com> wrote: > Issue: getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) is in fact > sometimes returning the source IP instead the destination IP
SO_ORIGINAL_DST returns the original address (before DNAT/REDIRECT rewrite) that conntrack believes to be the originator. > What you expected to happen: > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) - should return always > destination IP(connected IP). > > What happened instead: > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) is in fact sometimes > returning the source IP instead the destination IP. Using getsockname() > instead looks like solving the issue. > > For just an example: > Out of 6569124 requests , 4 requests were wrong 0.000060891 % (this is just > an rough estimate to give you idea on frequency) > > Some old reference: (similar behavior observed) > https://stackoverflow.com/questions/11417187/getsockopt-so-original-dst-occasionally-returns-client-address I ask exactly same question as in your url. If you use TPROXY, why do you use SO_ORIGINAL_DST? Its only required with -j REDIRECT. If you need to use REDIRECT for some reason, make sure you limit REDIRECT to -p tcp --syn to prevent it from triggering on other packets. You might also want to turn off midstream pickup (sysctl nf_conntrack_tcp_loose=0) in conntrack.
