Re: conntrack NAT problem w/ UDP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: chip@innovates.com
Cc: netfilter-devel@lists.netfilter.org, bof@bof.de
Subject: Re: conntrack NAT problem w/ UDP
Date: Tue, 03 Jan 2006 13:18:12 +0100	[thread overview]
Message-ID: <43BA6B84.3020509@trash.net> (raw)
In-Reply-To: <H0000067001795ab.1135782766.@MHS>

chip@innovates.com wrote:
> The packet rewriting is not happening for the outgoing packets, 
> therefore the other end can never reply because it has a private IP 
> address being sent as the source address.  
> 
> The timeout issue has been thoroughly debunked by numerous people.  
> Asterisk sends a packet every 30 seconds to keep NAT connections alive.  
> 
> 
> The problem is definitely something getting lost in netfilter.  When the 
> problem occurs, DNS and other UDP traffic with different source ports 
> than destination ports are still correctly rewritten.  The last time the 
> problem occurred for me, I completely reload the all the tables and 
> tried using SNAT vs. MASQUERADE.  Nothing made any packets get rewritten 
> for Asterisk connections except rebooting the router.  Next time, I will 
> try unloading all the netfilter modules and reloading them before 
> rebooting.  
> 
> When this happens I don't have much time for debugging, because of the 
> urgency to get a production phone system back in service.  That is why 
> I'm asking what should I examine to find out where netfilter is missing 
> this connection?

You could monitor the conntrack events with the conntrack tool.
A table dump while the problem occurs might also help.

next      parent reply	other threads:[~2006-01-03 12:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <H0000067001795ab.1135782766.@MHS>
2006-01-03 12:18 ` Patrick McHardy [this message]
2005-12-28 15:12 conntrack NAT problem w/ UDP chip
     [not found] <H000006700179012.1135713196.@MHS>
2005-12-28  7:15 ` Patrick Schaaf
  -- strict thread matches above, loose matches on Subject: below --
2005-12-27 19:53 chip

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43BA6B84.3020509@trash.net \
    --to=kaber@trash.net \
    --cc=bof@bof.de \
    --cc=chip@innovates.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.