From: Bernardo Innocenti <bernie@develer.com>
To: Bernardo Innocenti <bernie@develer.com>
Cc: lkml <linux-kernel@vger.kernel.org>, netfilter-devel@lists.netfilter.org
Subject: Re: Intermittent NAT failure when multiple hosts send UDP packets
Date: Tue, 20 Sep 2005 21:35:32 +0200 [thread overview]
Message-ID: <43306484.2060103@develer.com> (raw)
In-Reply-To: <432CD386.201@develer.com>
I'm sorry to say that this bug has shown up again on
2.6.13 too, so it's not fixed at all.
It's quite hard to trigger, but after it does, packets
are consistently routed with the source IP untranslated.
Bernardo Innocenti wrote:
> Never mind, it was fixed in 2.6.13, probably by this patch:
>
> https://lists.netfilter.org/pipermail/netfilter-devel/2004-March/014412.html
>
>
> Bernardo Innocenti wrote:
>
>>This smells like a bug in UDP ip_nat_proto_udp.c or nearby.
>>I'm seeing this on 2.6.12-1.1447_FC4, but code in 2.6.13 is
>>still the same.
>>
>>I've setup SNAT the usual way:
>>
>> iptables -A POSTROUTING -t nat -o ppp0 -j SNAT --to-source 151.38.19.110
>>
>>When multiple clients in the LAN send UDP packets to the same port of
>>the same remote host, I see something like this in my /proc/net/ip_conntrack:
>>
>> udp 17 170 src=10.3.3.2 dst=194.185.88.60 sport=5060 dport=5060 src=194.185.88.60 dst=151.38.19.110 sport=5060 dport=5060 [ASSURED] use=1
>> udp 17 29 src=10.3.3.2 dst=212.97.59.76 sport=5060 dport=5060 [UNREPLIED] src=212.97.59.76 dst=151.38.19.110 sport=5060 dport=5060 use=1
>> udp 17 177 src=10.3.3.250 dst=194.185.88.60 sport=5060 dport=5060 src=194.185.88.60 dst=151.38.19.110 sport=5060 dport=1024 [ASSURED] use=1
>>
>>In the last line, the destination port has been properly remapped from
>>5060 to 1024 to distingish between incoming packets.
>>
>>However, I see packets going out over ppp0 without the source
>>address properly rewritten to 151.38.19.110:
>>
>> 04:38:28.739514 IP 10.3.3.2.5060 > 194.185.88.60.5060: UDP, length 536
>>
>>This doesn't happen when there's just a single host sending to port 5060.
>>Sometimes I must restart the interface to trigger this bug.
>
>
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
next prev parent reply other threads:[~2005-09-20 19:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-17 3:01 Intermittent NAT failure when multiple hosts send UDP packets Bernardo Innocenti
2005-09-18 2:40 ` Bernardo Innocenti
2005-09-20 19:35 ` Bernardo Innocenti [this message]
2005-09-20 21:15 ` Patrick McHardy
2005-09-21 0:11 ` Bernardo Innocenti
2005-09-27 21:00 ` Bernardo Innocenti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43306484.2060103@develer.com \
--to=bernie@develer.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox