Re: NAT and locally bound sockets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Shuey <shuey@fmepnet.org>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: Harald Welte <laforge@gnumonks.org>, netfilter-devel@lists.samba.org
Subject: Re: NAT and locally bound sockets
Date: Mon, 1 Jul 2002 13:46:15 -0500	[thread overview]
Message-ID: <20020701184615.GA13296@lucky> (raw)
In-Reply-To: <200207011859.39589.hno@marasystems.com>

On Mon, Jul 01, 2002 at 06:59:39PM +0200, Henrik Nordstrom wrote:
> > would be just fine; however, with a high level of traffic the NAT system
> > would occaisionally select a srcport that was already in use by the NFS
> > client local to natbox.  That's not fine - it causes quite a few NFS
> 
> This is handled fine in all tests I have done provided your SNAT rule applies 
> to both forwarded and locally originating packets.

First, why would I want to SNAT locally originating packets?  Second, are
you telling me that netfilter _does_ check to see if a port is locally bound
before using it for a translation?

> If however your UDP nat entries times out from conntrack, which they can 
> easily do for a idle NFS mount, then all bets is off.. The default udp 
> timeout is only 180 seconds which is not by far sufficient for multi-client 
> NAT of NFS. A typical case where conntrack by default cannot easily know a 
> suitable timeout without additional information.

The problem is not that UDP NAT entries are timing out from conntrack.  The
problem is that SNAT'd NFS connections are stealing packets bound for the
nat host.  As near as I can tell the NAT code will occaisionally select a
srcport that's already in use by a client local to the natbox.  For more
information, check the posting at the URL I mailed to the list earlier.

If my problems were caused by UDP nat entried timing out from conntrack, why
did all my problems disappear when I SNAT'd the connections through an IP
alias?  I didn't change the timeout, so if your assumption were correct I
would still have NFS issues.

-- 
Mike Shuey

next prev parent reply	other threads:[~2002-07-01 18:46 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20020529164926.GA9003@gort.ecn.purdue.edu>
     [not found] ` <20020530153247.I7658@sunbeam.de.gnumonks.org>
2002-07-01 16:32   ` NAT and locally bound sockets Michael Shuey
2002-07-01 16:59     ` Henrik Nordstrom
2002-07-01 18:46       ` Michael Shuey [this message]
2002-07-02  7:52         ` Henrik Nordstrom
2002-07-02 14:21     ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020701184615.GA13296@lucky \
    --to=shuey@fmepnet.org \
    --cc=hno@marasystems.com \
    --cc=laforge@gnumonks.org \
    --cc=netfilter-devel@lists.samba.org \
    --cc=shuey@purdue.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.