From: Stephen Clark <sclark46@earthlink.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Chris Wilson <chris-netfilter-110904@aptivate.org>,
netfilter-devel@vger.kernel.org
Subject: Re: UDP packets sent with wrong source address after routing change [AV#3431]
Date: Tue, 13 Nov 2012 09:23:04 -0500 [thread overview]
Message-ID: <50A257C8.8050700@earthlink.net> (raw)
In-Reply-To: <20121112233024.GA15215@1984>
On 11/12/2012 06:30 PM, Pablo Neira Ayuso wrote:
> Hi Jozsef,
>
> On Mon, Nov 12, 2012 at 08:34:26PM +0100, Jozsef Kadlecsik wrote:
>> On Mon, 12 Nov 2012, Chris Wilson wrote:
>>
>>> I propose that:
>>>
>>> * when the packet matches an existing conntrack rule, and
>>>
>>> * is sent out of an interface that does not list the packet's new (SNAT-to)
>>> source address as one of its IP addresses (i.e. if this were a new
>>> connection, MASQUERADE would not choose this source address), and
>>>
>>> * the --update-source-address flag is set on the MASQUERADE target
>>>
>>> then update the source address on the conntrack rule to the new one.
>>>
>>> That's the same thing that would happen if we deleted the conntrack entry
>>> first: MASQUERADE would choose a new source address and save it in the new
>>> conntrack entry.
>> What do you think about this?
>>
>> - add route change notification event to the net core
>> - add --update-source-address flag to the MASQUERADE target
>> - add a call for such events to the MASQUERADE target, when
>> the flag is enabled
>>
>> The called function then can scan the conntrack table and for every entry
>> which has got the update-source-address flag, can check whether the source
>> IP address should be changed. Those entries are then deleted.
> It seems to me this can be implemented this from user-space. It would
> require a new working mode for conntrackd that would:
>
> 1) subscribe to route events via rtnl and libmnl.
> 2) get new interface address for some monitored address, also via rtnl.
> 3) iterate over the table and remove those entries with outdated IP
> address.
>
> All the infrastructure is ready, and it would not require any kernel
> upgrade. What do you think about this approach?
>
>
A similar problem exists in the following scenario:
You have two upstream isp that you are doing load balancing by having multiple
default routes:
default
nexthop via 66.xxx.xxx.xxx dev eth1 weight 1
nexthop via 205.xxx.xxx.xxx dev eth2 weight 1
On one of the external interface you have a DNAT to
an internal server on a private address. The DNAT makes
a conntrack entry that is going to in effect do a SNAT on reponses
from the internal server back out to the internet, but the load balancing
decision on routing happens before this implicit SNAT so you have packets
trying to go out an interface where the source address does not fall in the
subnet of that interface.
Why is routing decision done before the SNAT?
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
next prev parent reply other threads:[~2012-11-13 14:23 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-08 16:35 UDP packets sent with wrong source address after routing change [AV#3431] Chris Wilson
2012-11-08 17:55 ` Jan Engelhardt
2012-11-08 18:37 ` Chris Wilson
2012-11-08 20:40 ` Jan Engelhardt
2012-11-09 16:17 ` Chris Wilson
2012-11-10 14:07 ` Pablo Neira Ayuso
2012-11-10 19:13 ` Jan Engelhardt
2012-11-10 21:47 ` Jozsef Kadlecsik
2012-11-11 12:23 ` Pablo Neira Ayuso
2012-11-12 10:24 ` Chris Wilson
2012-11-12 15:05 ` Jozsef Kadlecsik
2012-11-12 15:27 ` Chris Wilson
2012-11-12 16:56 ` Jozsef Kadlecsik
2012-11-12 18:19 ` Chris Wilson
2012-11-12 19:07 ` Jozsef Kadlecsik
2012-11-12 20:56 ` Chris Wilson
2012-11-13 15:58 ` Jozsef Kadlecsik
2012-11-13 16:09 ` Chris Wilson
2012-11-13 16:19 ` Jozsef Kadlecsik
2012-11-13 17:02 ` Chris Wilson
2012-11-13 18:01 ` Jan Engelhardt
2012-11-12 19:56 ` Ed W
2012-11-12 19:34 ` Jozsef Kadlecsik
2012-11-12 22:34 ` Chris Wilson
2012-11-13 16:04 ` Jozsef Kadlecsik
2012-11-12 23:30 ` Pablo Neira Ayuso
2012-11-13 14:23 ` Stephen Clark [this message]
2012-11-13 15:25 ` Jozsef Kadlecsik
2012-11-13 18:30 ` Stephen Clark
2012-11-13 19:24 ` Jozsef Kadlecsik
2012-11-13 21:19 ` Stephen Clark
2012-11-14 8:08 ` Jozsef Kadlecsik
2012-11-14 14:14 ` Stephen Clark
2012-11-14 14:57 ` Chris Wilson
2012-11-14 20:15 ` Jozsef Kadlecsik
2012-11-15 12:33 ` Stephen Clark
2012-11-15 14:01 ` Jozsef Kadlecsik
2012-11-13 16:11 ` Jozsef Kadlecsik
2012-11-13 16:47 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A257C8.8050700@earthlink.net \
--to=sclark46@earthlink.net \
--cc=chris-netfilter-110904@aptivate.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.