Enabling CONFIG_IP_NAT_LOCAL unconditionally

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: coreteam@netfilter.org
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Enabling CONFIG_IP_NAT_LOCAL unconditionally
Date: Sat, 27 Nov 2004 12:53:56 +0100	[thread overview]
Message-ID: <41A86AD4.1060706@trash.net> (raw)

Hi,

I discovered more problems with locally generated ICMP errors while
testing NAT with IPsec. When an error is generated after POST_ROUTING,
the original packet has already be SNATed. icmp_reply_translation
expects all packets to go PRE_ROUTING -> ... -> POST_ROUTING, so both
SNAT and DNAT of the inner packet can be reversed and applied to the
outer packet in the opposite direction. Locally generated ICMP errors
only go through LOCAL_OUT -> POST_ROUTING. Since they never hit
PRE_ROUTING, the inner packet is not reverse-SNATed and the outer
packet is not DNATed properly.

Example with locally generated traffic. The error is visible best for
locally generated traffic with SNAT to non-local addresses, with local
addresses the error is reported properly anyway unless the port number
is also translated.

eth0 is 172.16.195.3/16, 172.16.195.100 is not existant:

# iptables -t nat -A POSTROUTING -o eth0 -d 172.16.195.100 -j SNAT 
--to-source 10.0.0.1
# telnet 172.16.195.100

on eth0:
IP (tos 0xd0, ttl  64, id 57576, offset 0, flags [none], length: 88) 
172.16.195.3 > 10.0.0.1: icmp 68: host 172.16.195.100 unreachable for IP 
(tos 0x10, ttl  64, id 48538, offset 0, flags [DF], length: 60) 
10.0.0.1.33912 > 172.16.195.100.23: [|tcp]

It seems the easiest fix for this is always enabling CONFIG_IP_NAT_LOCAL
and applying PRE_ROUTING manips in LOCAL_OUT in icmp_reply_translation.
Is everyone fine with this ?

Regards
Patrick

                 reply	other threads:[~2004-11-27 11:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41A86AD4.1060706@trash.net \
    --to=kaber@trash.net \
    --cc=coreteam@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.