From: Andrew Morton <akpm@linux-foundation.org>
To: netdev@vger.kernel.org
Cc: bugme-daemon@bugzilla.kernel.org, berni@birkenwald.de
Subject: Re: [Bugme-new] [Bug 12954] New: SAMEIP --nodst functionality gone missing
Date: Tue, 7 Apr 2009 14:35:09 -0700 [thread overview]
Message-ID: <20090407143509.05ab3b28.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-12954-10286@http.bugzilla.kernel.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
"massive issues"!
On Fri, 27 Mar 2009 16:48:06 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=12954
>
> Summary: SAMEIP --nodst functionality gone missing
> Product: Networking
> Version: 2.5
> Kernel Version: 2.6.25+
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Netfilter/Iptables
> AssignedTo: networking_netfilter-iptables@kernel-bugs.osdl.org
> ReportedBy: berni@birkenwald.de
> Regression: Yes
>
>
> This was already briefly discussed on the netfilter mailinglist, but did not
> spark much response there. However I think this issue is a pretty obvious
> regression over old kernel versions and might hit quite a few people once the
> newer kernels get deployed into large NAT setups.
>
> Back in the days of 2.6.18 there was the SAME target which allowed, with the
> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT
> range regardless of the destination address.
>
> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from
> the kernel sources due to being obsolete, since the same functionality was now
> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch to
> mimic the behaviour of SAME with --nodst in nf_nat by dropping the destination
> IP from the jhash. The patch was dropped shortly after because it apparently
> showed some uneven distribution.
>
> The whole thread can be read at
> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670
> .
>
> This thread went dead, I tried to revive it but did not get an answer. We're
> getting hit by this regression because we are currently NATing some thousand IP
> addresses (student dorms) to an external /28. It works fine with our old
> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with
> connections from the same internal address to different destinations getting
> NATed to different addresses in the pool. Which breaks, for example, ICQ quite
> badly.
>
next parent reply other threads:[~2009-04-07 21:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-12954-10286@http.bugzilla.kernel.org/>
2009-04-07 21:35 ` Andrew Morton [this message]
2009-04-08 8:03 ` [Bugme-new] [Bug 12954] New: SAMEIP --nodst functionality gone missing Martin Josefsson
2009-04-08 15:32 ` Patrick McHardy
2009-04-15 11:53 ` Patrick McHardy
2009-04-15 12:10 ` Jan Engelhardt
2009-04-15 12:13 ` Patrick McHardy
2009-04-15 12:21 ` Jan Engelhardt
2009-04-15 12:35 ` Patrick McHardy
2009-04-17 16:16 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090407143509.05ab3b28.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=berni@birkenwald.de \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.