From: Patrick McHardy <kaber@trash.net>
To: Kris Op de Beeck <kris.op.de.beeck@newtec.eu>
Cc: Ulrik De Bie <ulrik.debie@newtec.eu>,
netdev@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: DNAT sporadically doesn't replace destination IP address
Date: Tue, 27 May 2008 16:44:15 +0200 [thread overview]
Message-ID: <483C1E3F.4030802@trash.net> (raw)
In-Reply-To: <483C365A.B932.00FE.0@newtec.eu>
Kris Op de Beeck wrote:
>> What does "grep <srcport from above> /proc/net/nf_conntrack" show
>> when the problem occurs?
>>
> [ 1976.495472] nf_ct_tcp: invalid packet ignored IN= OUT= SRC=192.168.1.29 DST=10.9.9.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58096 DF PROTO=TCP SPT=41675 DPT=80 SEQ=3967333855 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A00065A1E0000000001030305) UID=1000
>
> sudo grep 41675 /proc/net/nf_conntrack
> ipv4 2 tcp 6 43 SYN_RECV src=192.168.1.29 dst=10.9.9.28 sport=41675 dport=80 packets=1 bytes=60 src=192.168.1.1 dst=192.168.1.29 sport=80 dport=41675 packets=3 bytes=180 mark=0 secmark=0 use=1
That looks like the client send a SYN, the server sent three
SYN/ACKs that never reached the client and the client retransmits
its SYN. The SYN should still be NATed, but conntrack thinks
its out of sync because its already in SYN_RECV state, while the
client is apparently still in SYN_SENT state.
Looking back at your first mail:
> print "iptables -t mangle -A VLAN$vlan -j MARK --set-mark $vlan\n";
> print "iptables -t mangle -A OUTPUT -o eth2.$vlan -j VLAN$vlan\n";
> print "ip ro add table $vlan default dev eth2.$vlan\n";
> print "ip ru add fwmark $vlan table $vlan\n";
This looks like a chicken-and-egg problem. You mark packets based
on the output device, but use the mark to direct them to the output
device.
I guess if you use the source IP for routing table selection it
will work. Not sure why it works at all currently.
next prev parent reply other threads:[~2008-05-27 14:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-22 14:33 DNAT sporadically doesn't replace destination IP address Kris Op de Beeck
2008-05-22 14:57 ` Patrick McHardy
2008-05-22 15:22 ` Kris Op de Beeck
2008-05-22 15:28 ` Patrick McHardy
2008-05-22 15:34 ` Kris Op de Beeck
2008-05-22 15:36 ` Patrick McHardy
2008-05-22 16:29 ` Patrick McHardy
2008-05-22 17:45 ` Kris Op de Beeck
2008-05-23 14:16 ` Kris Op de Beeck
2008-05-26 14:21 ` Patrick McHardy
2008-05-27 14:27 ` Kris Op de Beeck
2008-05-27 14:44 ` Patrick McHardy [this message]
2008-05-29 10:12 ` Kris Op de Beeck
-- strict thread matches above, loose matches on Subject: below --
2008-05-26 12:11 Ulrik De Bie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=483C1E3F.4030802@trash.net \
--to=kaber@trash.net \
--cc=kris.op.de.beeck@newtec.eu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ulrik.debie@newtec.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.