From: Patrick McHardy <kaber@trash.net>
To: Marc Lehmann <schmorp@schmorp.de>
Cc: Andrew Morton <akpm@osdl.org>,
netdev@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: Fw: masquerading failure for at least icmp and tcp+sack on amd64
Date: Wed, 07 Sep 2005 14:39:20 +0200 [thread overview]
Message-ID: <431EDF78.8060505@trash.net> (raw)
In-Reply-To: <20050907052057.09714a4c.akpm@osdl.org>
Andrew Morton wrote:
> I recently upgraded a 32 bit machine to a new amd64 board+cpu. I took the
> same kernel (2.6.13-rc7) and just recompiled it for 64 bit, plus upgraded
> userspace to 64 bit.
>
> Firewall config stayed the same.
>
> Problem: neither ping nor tcp was being masqueraded properly. I created
> the following test-set-up:
>
> iptables -t mangle -F
> iptables -t filter -F
> iptables -t nat -F
> iptables -t nat -A POSTROUTING -p all -s 10.0.0.0/8 -d \! 10.0.0.0/8 -j MASQUERADE
>
> i..e the above masquerade rule should be the only firewall rule, and all
> fules shoul[d have policy ACCEPT.
>
> The effect was that tcp packets and icmp packets coming from 10.0.0.1 on
> interface eth0 were properly masqueraded on the outgoing "inet" interface
> (ppp0 renamed):
>
> eth0:
> 19:17:24.364351 IP 10.0.0.1.44320 > 129.13.162.95.80: S 3745828676:3745828676(0) win 5840 <mss 1460,nop,nop,sackOK>
>
> inet:
> 19:17:24.364505 IP 84.56.237.68.44320 > 129.13.162.95.80: S 3745828676:3745828676(0) win 5840 <mss 1452,nop,nop,sackOK>
> 19:17:24.378029 IP 129.13.162.95.80 > 84.56.237.68.44320: S 3777391404:3777391404(0) ack 3745828677 win 5840 <mss 1460,nop,nop,sackOK>
> 19:17:24.378103 IP 84.56.237.68.44320 > 129.13.162.95.80: R 3745828677:3745828677(0) win 0
>
> However, the reverse packets were rejected. ip_conntrack showed this:
>
> tcp 6 52 SYN_SENT src=10.0.0.1 dst=129.13.162.95 sport=44320 dport=80 [UNREPLIED] src=129.13.162.95 dst=84.56.237.68 sport=80 dport=44320 mark=0 use=1
It seems ip_conntrack did not like the SYN/ACK and marked it as invalid,
NAT leaves the packet alone and the firewall resets the connection.
Please try if loading the ipt_LOG module and executing
"echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid"
gives more information
> Weird obervation 2:
>
> Some sites could be connected to with TCP. It turned out that those
> sites did not support TCP SACK. Indeed, turning off SACK either on the
> remote side of a connection or on the origonator side resulted in workign
> masquerading:
>
> eth0:
> 19:23:29.928470 IP 10.0.0.1.45611 > 129.13.162.95.80: S 4113365634:4113365634(0) win 5840 <mss 1460>
> 19:23:29.942246 IP 129.13.162.95.80 > 10.0.0.1.45611: S 4161877683:4161877683(0) ack 4113365635 win 5840 <mss 1460>
> 19:23:29.942313 IP 10.0.0.1.45611 > 129.13.162.95.80: . ack 1 win 5840
>
> inet:
> 19:23:29.928249 IP 84.56.237.68.45611 > 129.13.162.95.80: S 4113365634:4113365634(0) win 5840 <mss 1452>
> 19:23:29.942199 IP 129.13.162.95.80 > 84.56.237.68.45611: S 4161877683:4161877683(0) ack 4113365635 win 5840 <mss 1460>
> 19:23:29.942332 IP 84.56.237.68.45611 > 129.13.162.95.80: . ack 1 win 5840
>
> However, ICMP still is not masqueraded.
Please also try this again with logging enabled.
> Kernels that worked:
>
> 2.6.13-rc7, 2.6.12.5, 2.6.11 and lower, compiled for x86 with gcc-3.4
>
> Kernels that don't work:
>
> 2.6.13-rc7 (compiled with gcc-3.4 and 4.0.2 debian), 2.6.13 (gcc-4.02)
Can you retest with 2.6.12.5 on 64bit so we can see if it is a new
problem?
> Kernel configuration was exactly the same for the 2.6.13-rc7 kernels,
> modulo the cpu and architectrue selections.
>
> I have a somewhat nontrivial source routing set-up on that machine that I
> could document more if that could be a possible reason for that problem. I
> am confident that this is not a configuration error, as the configuraiton
> worked basically unchanged since the 2.4 days, and I am confident it's not
> a iptables setup problem either, as I can reproduce it with empty rules
> except for the masquerading rule.
So far I don't think its related to routed.
next parent reply other threads:[~2005-09-07 12:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050907052057.09714a4c.akpm@osdl.org>
2005-09-07 12:39 ` Patrick McHardy [this message]
2005-09-07 20:59 ` Fw: masquerading failure for at least icmp and tcp+sack on amd64 Marc Lehmann
2005-09-07 21:34 ` Patrick McHardy
2005-09-07 21:52 ` Marc Lehmann
2005-09-09 11:41 ` Patrick McHardy
2005-09-11 13:19 ` Marc Lehmann
2005-09-11 14:10 ` Patrick McHardy
2005-09-13 18:09 ` Stephen Hemminger
2005-09-13 20:59 ` David S. Miller
2005-09-14 1:13 ` Patrick McHardy
2005-09-14 3:41 ` David S. Miller
2005-09-14 1:10 ` Patrick McHardy
2005-09-14 19:09 ` Fw: " Marc Lehmann
2005-09-07 21:34 ` Marc Lehmann
2005-09-07 21:42 ` Patrick McHardy
2005-09-07 21:54 ` Marc Lehmann
2005-09-07 22:08 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=431EDF78.8060505@trash.net \
--to=kaber@trash.net \
--cc=akpm@osdl.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=schmorp@schmorp.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.