From: Larry LeBlanc <leblanc@inmotiontechnology.com>
To: netfilter@lists.netfilter.org
Subject: Masquerade does not forget connections when interface goes down
Date: Tue, 15 Mar 2005 16:29:49 -0800 [thread overview]
Message-ID: <42377DFD.1090901@inmotiontechnology.com> (raw)
There was a thread on this subject last October that did not solicit any
real solution. Unfortunately my scenario is a little different from the
one described before and so their workaround doesn't work for me. Here's
the problem:
My gateway has 2 dialup interfaces, ppp0 and ppp1. Let's say the IP
address for ppp0 is 1.2.3.4 and the address for ppp1 is 5.6.7.8.
Masquerading is turned on for both, but ppp1 is considered a backup so
the default route is set to transmit everything on ppp0. When it goes
down, the default route is switched to ppp1.
One of my test cases is to have an internal client send continuous
ping's to an external address. These (as expected) get routed out ppp0
with source address 1.2.3.4. If ppp0 drops "in-between" pings, i.e.
after one reply is received but before the next one is sent, the next
ping will get routed out ppp1 with source address 5.6.7.8 and everything
is happy. On the other hand, if the failover occurs while there is an
outstanding ping response, subsequent pings will go out ppp1 with source
address 1.2.3.4 (and, of course, fail). The TTL on the connection in
/proc/net/ip_conntrack is reset to 30 seconds every time a ping goes
out, so the situation does not resolve itself. To fix things you have to
stop the ping client, wait 30 seconds for the connection to expire, then
start again.
My understanding is that one of the main reasons to use Masquerade
instead of SNAT for dial-up connections is that connections are
"forgotten" when the connection goes down. This does not seem to be the
case, at least not for icmp packets. I am using iptables 1.2.10 and
would consider upgrading but I see no mention of Masquerade updates in
1.2.11 through 1.3.1 and I doubt that will fix my problem.
In lieu of an actual fix, can anyone say with confidence that this
problem is isolated to icmp? I can probably live with ping failures in
this case but if the problem affects other protocols I will need a fix.
Also, is there any simple way to flush conntrack entries for addresses
which no longer exist? If so then I can flush anything related to
1.2.3.4 when ppp0 goes down...
Thanks,
Larry
next reply other threads:[~2005-03-16 0:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-16 0:29 Larry LeBlanc [this message]
2005-03-21 0:51 ` Masquerade does not forget connections when interface goes down Larry LeBlanc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42377DFD.1090901@inmotiontechnology.com \
--to=leblanc@inmotiontechnology.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.