* SNAT round-robin broken? @ 2006-02-10 15:22 Khoa Nguyen 2006-02-10 21:12 ` KOVACS Krisztian 0 siblings, 1 reply; 6+ messages in thread From: Khoa Nguyen @ 2006-02-10 15:22 UTC (permalink / raw) To: netfilter I have the following on a box acting as a router between a client and a web server: iptables -t nat -A POSTROUTING --source 10.1.1.1 --destination 10.2.1.1 --protocol tcp --dport 80 -j SNAT --to-source 192.168.20.1-192.168.20.100 I open several http connections from the client to the server, the gateway for some reason SNAT to a single random address only and doesn't do round-robin for every socket from the client. Is something broken? How I force it to perform round-robin SNAT'ing? My kernel: 2.6.12-1.1381_FC3 iptables version: 1.3.4 Thanks, Khoa ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT round-robin broken? 2006-02-10 15:22 SNAT round-robin broken? Khoa Nguyen @ 2006-02-10 21:12 ` KOVACS Krisztian [not found] ` <3d00e6dc0602130610j3ccc1c2cseaf06598999ab0b2@mail.gmail.com> 0 siblings, 1 reply; 6+ messages in thread From: KOVACS Krisztian @ 2006-02-10 21:12 UTC (permalink / raw) To: netfilter; +Cc: Khoa Nguyen Hi, On Friday 10 February 2006 16:22, Khoa Nguyen wrote: > I have the following on a box acting as a router between a client and > a web server: > > iptables -t nat -A POSTROUTING --source 10.1.1.1 --destination > 10.2.1.1 --protocol tcp --dport 80 -j SNAT --to-source > 192.168.20.1-192.168.20.100 > > I open several http connections from the client to the server, the > gateway for some reason SNAT to a single random address only and > doesn't do round-robin for every socket from the client. Is something > broken? How I force it to perform round-robin SNAT'ing? > > My kernel: 2.6.12-1.1381_FC3 > iptables version: 1.3.4 Have you tried it with more than one internal IP address connecting to multiple destination addresses? Netfilter chooses the translated source IP based on the source and destination address of the original connection. -- KOVACS Krisztian ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <3d00e6dc0602130610j3ccc1c2cseaf06598999ab0b2@mail.gmail.com>]
* Re: SNAT round-robin broken? [not found] ` <3d00e6dc0602130610j3ccc1c2cseaf06598999ab0b2@mail.gmail.com> @ 2006-02-13 20:45 ` KOVACS Krisztian 2006-02-13 21:01 ` Khoa Nguyen 0 siblings, 1 reply; 6+ messages in thread From: KOVACS Krisztian @ 2006-02-13 20:45 UTC (permalink / raw) To: Khoa Nguyen; +Cc: netfilter Hi, On Monday 13 February 2006 15:10, Khoa Nguyen wrote: > > Have you tried it with more than one internal IP address connecting > > to multiple destination addresses? Netfilter chooses the translated > > source IP based on the source and destination address of the original > > connection. > > Yes, if I tried with more than one internal IP address, the SNAT code > would map to a different source IP address. This behaviour, however, > is different from that of kernel 2.4.x ? I used to be able to simulate > thousands of clients with SNAT and just one internal IP address. Is it > possible to force the same round-robin behaviour in 2.6.12 kernel? Unfortunately not, at least not without modifying the source code :) The behaviour of the NAT code changed when Rusty's NAT simplifications were merged in 2.6.11. I personally think this new behaviour is better than the old one, as it provides increased performance and better cooperation with load balancing solutions and other NAT-sensitive equipment. Why exactly do you want to achieve the round-robin behaviour for one internal IP? -- KOVACS Krisztian ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT round-robin broken? 2006-02-13 20:45 ` KOVACS Krisztian @ 2006-02-13 21:01 ` Khoa Nguyen 2006-02-13 21:30 ` KOVACS Krisztian 0 siblings, 1 reply; 6+ messages in thread From: Khoa Nguyen @ 2006-02-13 21:01 UTC (permalink / raw) To: KOVACS Krisztian; +Cc: netfilter On 2/13/06, KOVACS Krisztian <hidden@sch.bme.hu> wrote: > > > Unfortunately not, at least not without modifying the source code :) The > behaviour of the NAT code changed when Rusty's NAT simplifications were > merged in 2.6.11. I personally think this new behaviour is better than > the old one, as it provides increased performance and better cooperation > with load balancing solutions and other NAT-sensitive equipment. > > Why exactly do you want to achieve the round-robin behaviour for one > internal IP? > > -- > KOVACS Krisztian > Hi, Thanks for your response. I would like to simulate thousands of clients with the following setup in order to stress test our in-house product: Client ---> SNAT box ---> In-house Gateway --> Server Before 2.6.11 kernel, the SNAT box was mapping every new socket from the Client to a new source IP address. With this, I was able to simulate several thousands "virtual" clients. Now with the new behaviour, every socket from the Client to the Server is mapped to the same random but fixed source IP address. I am sure the new NAT implementation is better and cleaner than the old one, but it also takes away a nice round-robin feature per socket. Is there any way I can achieve the previous behaviour without modifying the kernel source code :-( or downgrading to a pre-2.6.11 kernel? (I am writing some ip_conntrack/ip_nat modules based on the new 2.6.11+ API, so downgrading the kernel is going to be painful) Thanks, Khoa ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT round-robin broken? 2006-02-13 21:01 ` Khoa Nguyen @ 2006-02-13 21:30 ` KOVACS Krisztian 2006-02-15 21:47 ` Khoa Nguyen 0 siblings, 1 reply; 6+ messages in thread From: KOVACS Krisztian @ 2006-02-13 21:30 UTC (permalink / raw) To: Khoa Nguyen; +Cc: netfilter Hi, On Monday 13 February 2006 22:01, Khoa Nguyen wrote: > Before 2.6.11 kernel, the SNAT box was mapping every new socket from > the Client to a new source IP address. With this, I was able to > simulate several thousands "virtual" clients. Now with the new > behaviour, every socket from the Client to the Server is mapped to the > same random but fixed source IP address. I am sure the new NAT > implementation is better and cleaner than the old one, but it also > takes away a nice round-robin feature per socket. Is there any way I > can achieve the previous behaviour without modifying the kernel source > code :-( or downgrading to a pre-2.6.11 kernel? (I am writing some > ip_conntrack/ip_nat modules based on the new 2.6.11+ API, so > downgrading the kernel is going to be painful) I see. Well, I don't think this is possible without modifying the kernel source. However, you could try either modifying the client to use different IP addresses (by configuring a few thousand IP addresses to the client and having the client bind() to different IP addresses), or modifying the kernel to do what you'd like. I think both of these should be relatively easy (in case you have access to the client source code). About the kernel: take a look at find_best_ips_proto() in ip_nat_core.c. At the end of the function there's a jhash_2words() call, this is responsible for choosing an IP inside the address range specified. You could easily modify it to produce a hash value based on the (src, src port, dst) tuple instead of just (src, dst). -- KOVACS Krisztian ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT round-robin broken? 2006-02-13 21:30 ` KOVACS Krisztian @ 2006-02-15 21:47 ` Khoa Nguyen 0 siblings, 0 replies; 6+ messages in thread From: Khoa Nguyen @ 2006-02-15 21:47 UTC (permalink / raw) To: KOVACS Krisztian; +Cc: netfilter On 2/13/06, KOVACS Krisztian <hidden@sch.bme.hu> wrote: > > Hi, > > Before 2.6.11 kernel, the SNAT box was mapping every new socket from > > the Client to a new source IP address. With this, I was able to > > simulate several thousands "virtual" clients. Now with the new > > behaviour, every socket from the Client to the Server is mapped to the > > same random but fixed source IP address. > > ... Is there any way I can achieve the previous behaviour without modifying the kernel > > source code :-( or downgrading to a pre-2.6.11 kernel? > > I see. Well, I don't think this is possible without modifying the kernel > source. > ... > About the kernel: take a look at > find_best_ips_proto() in ip_nat_core.c. At the end of the function > there's a jhash_2words() call, this is responsible for choosing an IP > inside the address range specified. You could easily modify it to produce > a hash value based on the (src, src port, dst) tuple instead of just > (src, dst). > > -- > KOVACS Krisztian > Hi, Thanks for your suggestion. I modified the kernel source with jhash_3words(src, port, dst) and now my SNAT box is snat'in per socket. Very cool! Thanks again. Khoa ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-02-15 21:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-10 15:22 SNAT round-robin broken? Khoa Nguyen
2006-02-10 21:12 ` KOVACS Krisztian
[not found] ` <3d00e6dc0602130610j3ccc1c2cseaf06598999ab0b2@mail.gmail.com>
2006-02-13 20:45 ` KOVACS Krisztian
2006-02-13 21:01 ` Khoa Nguyen
2006-02-13 21:30 ` KOVACS Krisztian
2006-02-15 21:47 ` Khoa Nguyen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.