Suggestion regarding masquerading / action when the link goes down

Suggestion regarding masquerading / action when the link goes down

[Christian Morgenstern]

>From NAT-HOWTO:
You don't need to put in the source address explicitly with masquerading: it
will use the source address of the interface the packet is going out from.
But more importantly, if the link goes down, the connections (which are now
lost anyway) are forgotten, meaning fewer glitches when connection comes
back up with a new IP address.


So if the link goes down for a few seconds, and then comes back up all masq
connections are lost, even though the IP did not change.
Would it be possible to have an additional option for the kernel config, so
the connections aren't cleared if the connection goes down ?
Or even better, how about only clearing the connections if the link comes
back up having a different IP ?

I'm asking this because I've a semi-static IP, and my connection sometimes
drops for a few seconds, usually 3 or 4 times per week. Sometimes the IP
changes, but most times it doesn't. Having the connections cleared means I'd
loose all open connections everytime once I've upraded from ipchains to
netfilter/iptables.

Aside from that I have a related question which I haven't found in the
FAQ/HowTos:
Is the conntrack table also being cleared if the link goes down/comes back
up ?

-- Christian

Re: Suggestion regarding masquerading / action when the link goes down

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1924 bytes --]

On Fri, Jun 06, 2003 at 07:02:35PM +0200, Christian Morgenstern wrote:
> From NAT-HOWTO:
> You don't need to put in the source address explicitly with masquerading: it
> will use the source address of the interface the packet is going out from.
> But more importantly, if the link goes down, the connections (which are now
> lost anyway) are forgotten, meaning fewer glitches when connection comes
> back up with a new IP address.
> 
> 
> So if the link goes down for a few seconds, and then comes back up all masq
> connections are lost, even though the IP did not change.

yes.  But I have to admit that I haven't seen this happen, at least not
at any ISP I have seen so far.

> Would it be possible to have an additional option for the kernel config, so
> the connections aren't cleared if the connection goes down ?

Kernel config option seems to be a bit static, and too 'big'.  What
about a sysctl?  I'm happy to accept a patch that makes this behaviour
sysctl-controllable.

> Or even better, how about only clearing the connections if the link comes
> back up having a different IP ?

This would mean that we'd need to hook in to ip address change functions
of the core ipv4 stack. too ugly.

> Is the conntrack table also being cleared if the link goes down/comes back
> up ?

as the NAT mappings are stored in the conntrack table, yes - and no.  We
don't clear the whole table, just the ones MASQ'ed to the particular
interface (see ipt_MASQUERADE.c:masq_device_event() and device_cmp()).

> -- Christian

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Suggestion regarding masquerading / action when the link goes down

[Philip Craig]

Harald Welte wrote:
> On Fri, Jun 06, 2003 at 07:02:35PM +0200, Christian Morgenstern wrote:
>>Would it be possible to have an additional option for the kernel config, so
>>the connections aren't cleared if the connection goes down ?
> 
> 
> Kernel config option seems to be a bit static, and too 'big'.  What
> about a sysctl?  I'm happy to accept a patch that makes this behaviour
> sysctl-controllable.

Shouldn't this be a new option for the MASQUERADE target, so that it
can be set per rule rather than as a global setting for all rules?

Alternatively, you could change the SNAT target so that it doesn't
require an address to be specified.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: Suggestion regarding masquerading / action when the link goes down

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1179 bytes --]

On Fri, Jun 20, 2003 at 10:35:44AM +1000, Philip Craig wrote:
> 
> Shouldn't this be a new option for the MASQUERADE target, so that it
> can be set per rule rather than as a global setting for all rules?
> 
> Alternatively, you could change the SNAT target so that it doesn't
> require an address to be specified.

Both of those ideas seem impractical.  The first would require this
choice to be saved together with the rule - that would increase the
targinfo structure size and thus render it incompatible with older
MASQUERADE targets.  The second ignores the fact that SNAT is a builtin
nat target of the nat core, which has no idea at all about interfaces.

> Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
> SnapGear - Custom Embedded Solutions and Security Appliances

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]