SNAT round-robin broken?

SNAT round-robin broken?

[Khoa Nguyen]

I have the following on a box acting as a router between a client and
a web server:

iptables -t nat -A POSTROUTING --source 10.1.1.1 --destination
10.2.1.1 --protocol tcp --dport 80 -j SNAT --to-source
192.168.20.1-192.168.20.100

I open several http connections from the client to the server, the
gateway for some reason SNAT to a single random address only and
doesn't do round-robin for every socket from the client. Is something
broken? How I force it to perform round-robin SNAT'ing?

My kernel: 2.6.12-1.1381_FC3
iptables version: 1.3.4

Thanks,
Khoa

Re: SNAT round-robin broken?

[KOVACS Krisztian]

  Hi,

On Friday 10 February 2006 16:22, Khoa Nguyen wrote:
> I have the following on a box acting as a router between a client and
> a web server:
>
> iptables -t nat -A POSTROUTING --source 10.1.1.1 --destination
> 10.2.1.1 --protocol tcp --dport 80 -j SNAT --to-source
> 192.168.20.1-192.168.20.100
>
> I open several http connections from the client to the server, the
> gateway for some reason SNAT to a single random address only and
> doesn't do round-robin for every socket from the client. Is something
> broken? How I force it to perform round-robin SNAT'ing?
>
> My kernel: 2.6.12-1.1381_FC3
> iptables version: 1.3.4

  Have you tried it with more than one internal IP address connecting to 
multiple destination addresses? Netfilter chooses the translated source 
IP based on the source and destination address of the original 
connection.

-- 
 KOVACS Krisztian

Re: SNAT round-robin broken?

[KOVACS Krisztian]

  Hi,

On Monday 13 February 2006 15:10, Khoa Nguyen wrote:
> >   Have you tried it with more than one internal IP address connecting
> > to multiple destination addresses? Netfilter chooses the translated
> > source IP based on the source and destination address of the original
> > connection.
>
> Yes, if I tried with more than one internal IP address, the SNAT code
> would map to a different source IP address. This behaviour, however,
> is different from that of kernel 2.4.x ? I used to be able to simulate
> thousands of clients with SNAT and just one internal IP address. Is it
> possible to force the same round-robin behaviour in 2.6.12 kernel?

  Unfortunately not, at least not without modifying the source code :) The 
behaviour of the NAT code changed when Rusty's NAT simplifications were 
merged in 2.6.11. I personally think this new behaviour is better than 
the old one, as it provides increased performance and better cooperation 
with load balancing solutions and other NAT-sensitive equipment.

  Why exactly do you want to achieve the round-robin behaviour for one 
internal IP?

-- 
 KOVACS Krisztian

Re: SNAT round-robin broken?

[Khoa Nguyen]

On 2/13/06, KOVACS Krisztian <hidden@sch.bme.hu> wrote:
>
>
>   Unfortunately not, at least not without modifying the source code :) The
> behaviour of the NAT code changed when Rusty's NAT simplifications were
> merged in 2.6.11. I personally think this new behaviour is better than
> the old one, as it provides increased performance and better cooperation
> with load balancing solutions and other NAT-sensitive equipment.
>
>   Why exactly do you want to achieve the round-robin behaviour for one
> internal IP?
>
> --
>  KOVACS Krisztian
>
Hi,

Thanks for your response. I would like to simulate thousands of
clients with the following setup in order to stress test our in-house
product:

Client ---> SNAT box ---> In-house Gateway --> Server

Before 2.6.11 kernel, the SNAT box was mapping every new socket from
the Client to a new source IP address. With this, I was able to
simulate several thousands "virtual" clients. Now with the new
behaviour, every socket from the Client to the Server is mapped to the
same random but fixed source IP address. I am sure the new NAT
implementation is better and cleaner than the old one, but it also
takes away a nice round-robin feature per socket. Is there any way I
can achieve the previous behaviour without modifying the kernel source
code :-( or downgrading to a pre-2.6.11 kernel? (I am writing some
ip_conntrack/ip_nat modules based on the new 2.6.11+ API, so
downgrading the kernel is going to be painful)

Thanks,
Khoa

Re: SNAT round-robin broken?

[KOVACS Krisztian]

  Hi,

On Monday 13 February 2006 22:01, Khoa Nguyen wrote:
> Before 2.6.11 kernel, the SNAT box was mapping every new socket from
> the Client to a new source IP address. With this, I was able to
> simulate several thousands "virtual" clients. Now with the new
> behaviour, every socket from the Client to the Server is mapped to the
> same random but fixed source IP address. I am sure the new NAT
> implementation is better and cleaner than the old one, but it also
> takes away a nice round-robin feature per socket. Is there any way I
> can achieve the previous behaviour without modifying the kernel source
> code :-( or downgrading to a pre-2.6.11 kernel? (I am writing some
> ip_conntrack/ip_nat modules based on the new 2.6.11+ API, so
> downgrading the kernel is going to be painful)

  I see. Well, I don't think this is possible without modifying the kernel 
source. However, you could try either modifying the client to use 
different IP addresses (by configuring a few thousand IP addresses to the 
client and having the client bind() to different IP addresses), or 
modifying the kernel to do what you'd like.

  I think both of these should be relatively easy (in case you have access 
to the client source code). About the kernel: take a look at 
find_best_ips_proto() in ip_nat_core.c. At the end of the function 
there's a jhash_2words() call, this is responsible for choosing an IP 
inside the address range specified. You could easily modify it to produce 
a hash value based on the (src, src port, dst) tuple instead of just 
(src, dst).

-- 
 KOVACS Krisztian

Re: SNAT round-robin broken?

[Khoa Nguyen]

On 2/13/06, KOVACS Krisztian <hidden@sch.bme.hu> wrote:
>
>   Hi,

> > Before 2.6.11 kernel, the SNAT box was mapping every new socket from
> > the Client to a new source IP address. With this, I was able to
> > simulate several thousands "virtual" clients. Now with the new
> > behaviour, every socket from the Client to the Server is mapped to the
> > same random but fixed source IP address.
> > ... Is there any way I can achieve the previous behaviour without modifying the kernel
> > source code :-( or downgrading to a pre-2.6.11 kernel?
>
>   I see. Well, I don't think this is possible without modifying the kernel
> source.
> ...
>  About the kernel: take a look at
> find_best_ips_proto() in ip_nat_core.c. At the end of the function
> there's a jhash_2words() call, this is responsible for choosing an IP
> inside the address range specified. You could easily modify it to produce
> a hash value based on the (src, src port, dst) tuple instead of just
> (src, dst).
>
> --
>  KOVACS Krisztian
>

Hi,

Thanks for your suggestion. I modified the kernel source with
jhash_3words(src, port, dst) and now my SNAT box is snat'in per
socket. Very cool!

Thanks again.
Khoa