Re: conntrack NAT problem w/ UDP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: chip@innovates.com
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: conntrack NAT problem w/ UDP
Date: Wed, 28 Dec 2005 08:15:47 +0100	[thread overview]
Message-ID: <20051228071547.GC11503@oknodo.bof.de> (raw)
In-Reply-To: <H000006700179012.1135713196.@MHS>

> There seems to be an intermittent problem w/ NAT when the source port 
> and destination port are the same on UDP traffic.
[...]
> I diagnosed the problem by sniffing the traffic between the router and 
> internet device (DSL or cable modem).

How much time was there between the last correctly rewritten packet,
and the first bad packet?

I bet it was more than 120 seconds.

UDP is connectionless. Thus, conntracking must use some form of
idle (no packets flowing) timeout for its NAT entries. The timeout
is 120 seconds for replied (packets seen in both directions)
UDP connections.

With the setup you described, having fixed "real" ports, maybe
you can just set up static nat (use the SNAT or DNAT target after
matching client IP address), instead of dynamic (random mangled port)
NAT like MASQUERADE, and your problem will go away - because the decision
will be the same each time a new conntrack is created after a pause.

You could also try to work around the problem by making the application
send data in the correct direction more often than each 120 seconds.

Or you could manipulate the UDP timeout on the NAT box. Look/change
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_stream. However, this
will affect all UDP traffic (traceroute, DNS lookups).

best regards
  Patrick

next      parent reply	other threads:[~2005-12-28  7:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <H000006700179012.1135713196.@MHS>
2005-12-28  7:15 ` Patrick Schaaf [this message]
     [not found] <H0000067001795ab.1135782766.@MHS>
2006-01-03 12:18 ` conntrack NAT problem w/ UDP Patrick McHardy
2005-12-28 15:12 chip
  -- strict thread matches above, loose matches on Subject: below --
2005-12-27 19:53 chip

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051228071547.GC11503@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=chip@innovates.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.