From: Patrick McHardy <kaber@trash.net>
To: Whit Blauvelt <whit@transpect.com>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Jan Engelhardt <jengelh@computergmbh.de>,
netfilter@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: Why does ipv6 enabled interfere with ipv4 SNAT?
Date: Tue, 25 Mar 2008 16:53:19 +0100 [thread overview]
Message-ID: <47E91FEF.9080705@trash.net> (raw)
In-Reply-To: <20080325142553.GA8783@transpect.com>
Whit Blauvelt wrote:
>
> Josef, the set of iptables modules is precisely the same whether or not ipv6
> is enabled on the system (yes, I've looked). The only difference is whether
> the ipv6 module is loaded. Blocking the ipv6 module from loading at boot
> both prevents (of course) the /proc/sys/net/ipv6 space from being populated.
> It also fully restores SNAT functionality.
>
> There are no error messages from "iptables -t nat" commands. The nat rules
> show up precisely the same in the resulting tables - they just don't count
> any packets traversing them if ipv6 is also enabled. I haven't done packet
> inspection to see what's happening, but the problem remains:
>
> With _everything else_ unchanged, simply letting the ipv6 module load at
> boot results in:
>
> 1) eth4 and eth5 not showing up as they should for ipv6 in
> /proc/sys/net/ipv6/conf
>
> and (whether related or a separate bug)
>
> 2) ipv4 Netfilter SNAT (in POSTROUTING in this case) becoming a black hole
>
> Boxes behind the firewall can still ping the firewall. The firewall can
> still ping the world. But just with the ipv6 module loaded, the boxes behind
> the firewall cannot ping the world. Clearly ipv6 is not properly
> provisioning its space. But why should ipv6's failing have any effect at all
> on ipv4 functionality?
>
> For me, not loading the ipv6 module is a totally fine workaround. It's
> useless cruft in my context anyway. But even though my problem is fixed for
> now, it will be a problem for other people (maybe only those with > 4
> ethernet devices?) when the ipv6 transition finally happens. I remember in
> the early 90s when we were expecting it by about 1998.
>
> So in the spirit of open source development, I'm looking for for someone
> with better knowledge of the underlying theory to help identify where the
> bug here is. Then the responsible developers can have a chance to fix it
> before a lot of other sysadmins also end up wasting many hours because of
> the non-obviousness of having to look at ipv6 stuff to find why ipv4 SNAT
> becomes a black hole.
Please post the list of modules loaded and the output of
/proc/net/nf_conntrack.
next prev parent reply other threads:[~2008-03-25 15:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-25 1:28 Why does ipv6 enabled interfere with ipv4 SNAT? Whit Blauvelt
2008-03-25 1:58 ` Jan Engelhardt
2008-03-25 2:44 ` Whit Blauvelt
2008-03-25 2:57 ` Jan Engelhardt
2008-03-25 3:57 ` Whit Blauvelt
2008-03-25 11:03 ` Jozsef Kadlecsik
2008-03-25 14:25 ` Whit Blauvelt
2008-03-25 15:53 ` Patrick McHardy [this message]
2008-03-27 14:10 ` Whit Blauvelt
2008-04-02 10:26 ` Patrick McHardy
2008-03-26 9:45 ` Jozsef Kadlecsik
2008-03-27 14:15 ` Whit Blauvelt
2008-03-26 11:03 ` Pascal Hambourg
2008-03-26 11:12 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47E91FEF.9080705@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=whit@transpect.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.