* snat local packets and arp
@ 2008-01-15 10:39 Marco Berizzi
2008-01-15 15:57 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Marco Berizzi @ 2008-01-15 10:39 UTC (permalink / raw)
To: netfilter-devel
Hello everybody.
I have configured a linux 2.6.23 box with two ip
addresses on a single interface:
# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
link/ether 00:30:05:cb:27:c1 brd ff:ff:ff:ff:ff:ff
inet hdsl.254/27 brd hdsl.255 scope global eth0
inet adsl.134/29 brd adsl.135 scope global eth0
This box is running squid as a proxy server. The
default gateway is hdsl.225
Locally generated packets from squid are snated with
adsl.134 and then they are market so they are forwarded
to the adsl router (adsl.129).
There is always (one/second) packet flow between both
the cisco routers (hdsl.225 and adsl.129) and the
linux box.
But linux is arping every few seconds the adsl.129
router:
10:54:11.787680 : arp who-has adsl.129 tell adsl.134
10:54:11.788293 : arp reply adsl.129 is-at 00:1b:...
10:54:34.580798 : arp who-has adsl.129 tell adsl.134
10:54:34.581441 : arp reply adsl.129 is-at 00:1b:...
10:55:17.420198 : arp who-has adsl.129 tell adsl.134
10:55:17.420836 : arp reply adsl.129 is-at 00:1b:...
10:56:00.552606 : arp who-has adsl.129 tell adsl.134
10:56:00.553231 : arp reply adsl.129 is-at 00:1b:...
It is like linux doesn't undestand it is using
also the adsl.129, because it is generating packets
with source ip=hdsl.254 and then I snat them with
adsl.134 in the postrouting chain.
Is this behaviour expected?
Running ping adsl.129 stop linux from arping the
adsl.129 router.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: snat local packets and arp 2008-01-15 10:39 snat local packets and arp Marco Berizzi @ 2008-01-15 15:57 ` Patrick McHardy 2008-01-15 16:22 ` Marco Berizzi 0 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2008-01-15 15:57 UTC (permalink / raw) To: Marco Berizzi; +Cc: netfilter-devel Marco Berizzi wrote: > Hello everybody. > I have configured a linux 2.6.23 box with two ip > addresses on a single interface: > > # ip a s dev eth0 > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 > link/ether 00:30:05:cb:27:c1 brd ff:ff:ff:ff:ff:ff > inet hdsl.254/27 brd hdsl.255 scope global eth0 > inet adsl.134/29 brd adsl.135 scope global eth0 > > This box is running squid as a proxy server. The > default gateway is hdsl.225 > Locally generated packets from squid are snated with > adsl.134 and then they are market so they are forwarded > to the adsl router (adsl.129). > There is always (one/second) packet flow between both > the cisco routers (hdsl.225 and adsl.129) and the > linux box. > But linux is arping every few seconds the adsl.129 > router: > > 10:54:11.787680 : arp who-has adsl.129 tell adsl.134 > 10:54:11.788293 : arp reply adsl.129 is-at 00:1b:... > 10:54:34.580798 : arp who-has adsl.129 tell adsl.134 > 10:54:34.581441 : arp reply adsl.129 is-at 00:1b:... > 10:55:17.420198 : arp who-has adsl.129 tell adsl.134 > 10:55:17.420836 : arp reply adsl.129 is-at 00:1b:... > 10:56:00.552606 : arp who-has adsl.129 tell adsl.134 > 10:56:00.553231 : arp reply adsl.129 is-at 00:1b:... > > It is like linux doesn't undestand it is using > also the adsl.129, because it is generating packets > with source ip=hdsl.254 and then I snat them with > adsl.134 in the postrouting chain. > > Is this behaviour expected? > > Running ping adsl.129 stop linux from arping the > adsl.129 router. I don't get it. You say this box is using adsl.129 as nexthop for the locally generated squid packets. So whats wrong with sending arp queries for that router? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: snat local packets and arp 2008-01-15 15:57 ` Patrick McHardy @ 2008-01-15 16:22 ` Marco Berizzi 2008-01-15 16:32 ` Patrick McHardy 0 siblings, 1 reply; 7+ messages in thread From: Marco Berizzi @ 2008-01-15 16:22 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel Patrick McHardy wrote: > Marco Berizzi wrote: > > Hello everybody. > > I have configured a linux 2.6.23 box with two ip > > addresses on a single interface: > > > > # ip a s dev eth0 > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 > > link/ether 00:30:05:cb:27:c1 brd ff:ff:ff:ff:ff:ff > > inet hdsl.254/27 brd hdsl.255 scope global eth0 > > inet adsl.134/29 brd adsl.135 scope global eth0 > > > > This box is running squid as a proxy server. The > > default gateway is hdsl.225 > > Locally generated packets from squid are snated with > > adsl.134 and then they are market so they are forwarded > > to the adsl router (adsl.129). > > There is always (one/second) packet flow between both > > the cisco routers (hdsl.225 and adsl.129) and the > > linux box. > > But linux is arping every few seconds the adsl.129 > > router: > > > > 10:54:11.787680 : arp who-has adsl.129 tell adsl.134 > > 10:54:11.788293 : arp reply adsl.129 is-at 00:1b:... > > 10:54:34.580798 : arp who-has adsl.129 tell adsl.134 > > 10:54:34.581441 : arp reply adsl.129 is-at 00:1b:... > > 10:55:17.420198 : arp who-has adsl.129 tell adsl.134 > > 10:55:17.420836 : arp reply adsl.129 is-at 00:1b:... > > 10:56:00.552606 : arp who-has adsl.129 tell adsl.134 > > 10:56:00.553231 : arp reply adsl.129 is-at 00:1b:... > > > > It is like linux doesn't undestand it is using > > also the adsl.129, because it is generating packets > > with source ip=hdsl.254 and then I snat them with > > adsl.134 in the postrouting chain. > > > > Is this behaviour expected? > > > > Running ping adsl.129 stop linux from arping the > > adsl.129 router. > > I don't get it. You say this box is using adsl.129 as > nexthop for the locally generated squid packets. Yes I'm using this dirty trick: iptables -t mangle -I PREROUTING ... --dports 80,443 -j MARK --set-mark 1 ip rule add fwmark 1 table adsl prio 400 #ip route sh table adsl default via adsl.129 dev eth0 > So whats wrong with sending arp queries for that router? I don't understand why it is sending arp queries for the adsl router every minute and it doesn't send a single arp query for hours to the other hdsl router. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: snat local packets and arp 2008-01-15 16:22 ` Marco Berizzi @ 2008-01-15 16:32 ` Patrick McHardy 2008-01-15 16:40 ` Marco Berizzi 0 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2008-01-15 16:32 UTC (permalink / raw) To: Marco Berizzi; +Cc: netfilter-devel Marco Berizzi wrote: > Patrick McHardy wrote: > >>> Running ping adsl.129 stop linux from arping the >>> adsl.129 router. >> I don't get it. You say this box is using adsl.129 as >> nexthop for the locally generated squid packets. > > Yes I'm using this dirty trick: > > iptables -t mangle -I PREROUTING ... --dports 80,443 -j MARK > --set-mark 1 > ip rule add fwmark 1 table adsl prio 400 > > #ip route sh table adsl > default via adsl.129 dev eth0 > >> So whats wrong with sending arp queries for that router? > > I don't understand why it is sending arp queries for > the adsl router every minute and it doesn't send a single > arp query for hours to the other hdsl router. Do the routers send arp queries to the Linux box? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: snat local packets and arp 2008-01-15 16:32 ` Patrick McHardy @ 2008-01-15 16:40 ` Marco Berizzi 2008-01-15 16:42 ` Patrick McHardy 0 siblings, 1 reply; 7+ messages in thread From: Marco Berizzi @ 2008-01-15 16:40 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel Patrick McHardy wrote: > Marco Berizzi wrote: > > Patrick McHardy wrote: > > > >>> Running ping adsl.129 stop linux from arping the > >>> adsl.129 router. > >> I don't get it. You say this box is using adsl.129 as > >> nexthop for the locally generated squid packets. > > > > Yes I'm using this dirty trick: > > > > iptables -t mangle -I PREROUTING ... --dports 80,443 -j MARK > > --set-mark 1 > > ip rule add fwmark 1 table adsl prio 400 > > > > #ip route sh table adsl > > default via adsl.129 dev eth0 > > > >> So whats wrong with sending arp queries for that router? > > > > I don't understand why it is sending arp queries for > > the adsl router every minute and it doesn't send a single > > arp query for hours to the other hdsl router. > > Do the routers send arp queries to the Linux box? Honestly, I don't know. This is the output running tcpdump -pnvi eth0 arp 10:54:11.787680 : arp who-has adsl.129 tell adsl.134 10:54:11.788293 : arp reply adsl.129 is-at 00:1b:... 10:54:34.580798 : arp who-has adsl.129 tell adsl.134 10:54:34.581441 : arp reply adsl.129 is-at 00:1b:... 10:55:17.420198 : arp who-has adsl.129 tell adsl.134 10:55:17.420836 : arp reply adsl.129 is-at 00:1b:... 10:56:00.552606 : arp who-has adsl.129 tell adsl.134 10:56:00.553231 : arp reply adsl.129 is-at 00:1b:... I only see the linux box quering the cisco and not viceversa. AFAIK the cisco has been configured by the ISP with very high timeout for the arp cache. PS: The linux is 2.6.23 with default option except arp_filter/rp_filter/proxy_arp set to 1 on eth0 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: snat local packets and arp 2008-01-15 16:40 ` Marco Berizzi @ 2008-01-15 16:42 ` Patrick McHardy 2008-01-16 8:46 ` Marco Berizzi 0 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2008-01-15 16:42 UTC (permalink / raw) To: Marco Berizzi; +Cc: netfilter-devel Marco Berizzi wrote: >> Do the routers send arp queries to the Linux box? > > Honestly, I don't know. This is the output running > tcpdump -pnvi eth0 arp > > 10:54:11.787680 : arp who-has adsl.129 tell adsl.134 > 10:54:11.788293 : arp reply adsl.129 is-at 00:1b:... > 10:54:34.580798 : arp who-has adsl.129 tell adsl.134 > 10:54:34.581441 : arp reply adsl.129 is-at 00:1b:... > 10:55:17.420198 : arp who-has adsl.129 tell adsl.134 > 10:55:17.420836 : arp reply adsl.129 is-at 00:1b:... > 10:56:00.552606 : arp who-has adsl.129 tell adsl.134 > 10:56:00.553231 : arp reply adsl.129 is-at 00:1b:... > > I only see the linux box quering the cisco and not > viceversa. AFAIK the cisco has been configured by > the ISP with very high timeout for the arp cache. > > PS: The linux is 2.6.23 with default option except > arp_filter/rp_filter/proxy_arp set to 1 on eth0 Try disabling rp_filter, that should make it behave similar for both addresses. With rp_filter, the input routing done by arp.c fails because the mark is different and it doesn't go to your special routing table, so it doesn't update the cache from arp queries from that router. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: snat local packets and arp 2008-01-15 16:42 ` Patrick McHardy @ 2008-01-16 8:46 ` Marco Berizzi 0 siblings, 0 replies; 7+ messages in thread From: Marco Berizzi @ 2008-01-16 8:46 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel Patrick McHardy wrote: > Marco Berizzi wrote: > >> Do the routers send arp queries to the Linux box? > > > > Honestly, I don't know. This is the output running > > tcpdump -pnvi eth0 arp > > > > 10:54:11.787680 : arp who-has adsl.129 tell adsl.134 > > 10:54:11.788293 : arp reply adsl.129 is-at 00:1b:... > > 10:54:34.580798 : arp who-has adsl.129 tell adsl.134 > > 10:54:34.581441 : arp reply adsl.129 is-at 00:1b:... > > 10:55:17.420198 : arp who-has adsl.129 tell adsl.134 > > 10:55:17.420836 : arp reply adsl.129 is-at 00:1b:... > > 10:56:00.552606 : arp who-has adsl.129 tell adsl.134 > > 10:56:00.553231 : arp reply adsl.129 is-at 00:1b:... > > > > I only see the linux box quering the cisco and not > > viceversa. AFAIK the cisco has been configured by > > the ISP with very high timeout for the arp cache. > > > > PS: The linux is 2.6.23 with default option except > > arp_filter/rp_filter/proxy_arp set to 1 on eth0 > > > Try disabling rp_filter, that should make it behave similar > for both addresses. With rp_filter, the input routing done > by arp.c fails because the mark is different and it doesn't > go to your special routing table, so it doesn't update the > cache from arp queries from that router. Done (echo 0 > /proc/sys/net/ipv4/conf/eth0 && ip route flush cache), but no luck: same behaviour. Now only arp_filter and proxy_arp are set to one on eth0. Here is a capture taken few minuted ago: 09:25:30.784282 IP (tos 0x0, ttl 51, id 45968, offset 0, flags [none], length: 675) 72.14.221.18.80 > adsl.134.45712: P 4827:5450(623) ack 1835 win 11344 <nop,nop,timestamp 1942678180 568666441> 09:25:30.785267 IP (tos 0x0, ttl 64, id 36780, offset 0, flags [DF], length: 52) adsl.134.45712 > 72.14.221.18.80: . [tcp sum ok] ack 5450 win 2525 <nop,nop,timestamp 568666460 1942678180> 09:25:34.346859 arp who-has adsl.129 tell adsl.134 09:25:34.347517 arp reply adsl.129 is-at 00:1b:90:c8:06:b8 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-01-16 8:46 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-01-15 10:39 snat local packets and arp Marco Berizzi 2008-01-15 15:57 ` Patrick McHardy 2008-01-15 16:22 ` Marco Berizzi 2008-01-15 16:32 ` Patrick McHardy 2008-01-15 16:40 ` Marco Berizzi 2008-01-15 16:42 ` Patrick McHardy 2008-01-16 8:46 ` Marco Berizzi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.