From: KOVACS Krisztian <hidden@sch.bme.hu>
To: netfilter@lists.netfilter.org
Cc: "Keserű Kornél" <keseruk@freemail.hu>
Subject: Re: lost UDP packets with matching NAT rules
Date: Wed, 15 Feb 2006 16:15:42 +0100 [thread overview]
Message-ID: <200602151615.42633@nienna> (raw)
In-Reply-To: <freemail.20060115141829.61431@fm15.freemail.hu>
Hi,
On Wednesday 15 February 2006 14.18, Keserû Kornél wrote:
> I also have to modify the source of the packets not only the destination
> (I want to realize NAT). Maybe my sentence (about redirection) was
> misleading.
_That_ is the problem. This way you produce clashing connection tracking
entries, of which obviously only the first one is confirmed, the rest of
the packets is dropped. Think again: you send 100 packets, each of them
from a different source. Each and every packet has a new connection
tracking entry assigned to them when they arrive at the NAT box. Then on
PREROUTING you redirect these to the same destination. After this has been
done it's only the _source_ which differentiates between them, the
destination is the same. Then, on POSTROUTING you change the source address
of the packet (and the appropriate field in the conntrack entry) to the
same, predefined value. Oops, you've just destroyed your last piece of
information based on which you could differentiate the reply packets
arriving from the node you've forwarded these packets to.
For the first packet, the conntrack entry gets confirmed, and the packet
is forwarded. However, for the rest conntrack is unable to insert their
entries in the hash table (since there's already an entry there with the
same reply tuple). Thus the best it can do is dropping those packets.
> Thanks for the hint! I checked it. Strange, that not the "insert_failed"
> but the number in the "dropped" column is incremented with 99. 1
It's hard to believe. Are you sure that you did not make a mistake pairing
that number to the appropriate column at the top? Can you maybe paste it
here?
First of all, I assume you meant 'drop', as theer's no 'dropped' column in
that file. However, 'drop' is incremented if a packet is dropped because
connection tracking failed to allocated the memory for the new connection
tracking structure. It's very unlikely you can trigger this with 100 UDP
packets.
--
KOVACS Krisztian
next prev parent reply other threads:[~2006-02-15 15:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-14 9:34 lost UDP packets with matching NAT rules Keserű Kornél
2006-02-14 21:21 ` KOVACS Krisztian
2006-02-15 13:18 ` Keserű Kornél
2006-02-15 15:15 ` KOVACS Krisztian [this message]
2006-02-15 17:16 ` Keserű Kornél
2006-02-17 9:43 ` KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200602151615.42633@nienna \
--to=hidden@sch.bme.hu \
--cc=keseruk@freemail.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.