From: Bernardo Innocenti <bernie@develer.com>
To: Bernardo Innocenti <bernie@develer.com>
Cc: Patrick McHardy <kaber@trash.net>,
lkml <linux-kernel@vger.kernel.org>,
netfilter-devel@lists.netfilter.org
Subject: Re: Intermittent NAT failure when multiple hosts send UDP packets
Date: Tue, 27 Sep 2005 23:00:35 +0200 [thread overview]
Message-ID: <4339B2F3.5040206@develer.com> (raw)
In-Reply-To: <4330A51D.20009@develer.com>
Bernardo Innocenti wrote:
> Patrick McHardy wrote:
>>Bernardo Innocenti wrote:
>>
>>>It's quite hard to trigger, but after it does, packets
>>>are consistently routed with the source IP untranslated.
>>
>>Please try "echo 255 >
>>/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid"
>>and modprobe ipt_LOG to see if conntrack ignores them because
>>of invalid checksums or something.
>
> It doesn't seem to be the case. I only see a few occasional
> errors, probably caused by miserable hosts crawling with worms:
PROBLEM SOLVED! I'm glad to say It's *almost* not a kernel bug,
more like a missing feature.
In my ip-up.local script, I do:
echo "Loading NAT modules:"
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
[...several filtering and QoS rules...]
$iptab -A POSTROUTING -t nat -o $IFNAME -j SNAT --to-source $IPLOCAL
My ip-down.local attempts to do the opposite:
echo "Flushing all current rules:"
$iptab -F
$iptab -F -t nat
echo "Clearing all chains:"
$iptab -X
$iptab -Z
$iptab -X -t nat
$iptab -Z -t nat
echo "Removing NAT modules:"
/sbin/rmmod ip_nat_ftp ip_nat_irc iptable_nat ip_conntrack ip_conntrack_ftp ip_conntrack_irc
Note the order of the modules in the last line: ip_conntrack cannot
be unloaded because it's still being used by ip_conntrack_ftp and
ip_conntrack_irc.
So, whenever the PPP link goes down, ip_conntrack remains loaded with
all connections still being tracked until the timer expires!
If ppp0 goes up again soon enough, the script reloads the ip_nat modules,
but the existing connections are no longer being translated.
Would it be possible to do something at module initialization time
to recover those connections? Meanwhile, I've fixed my rmmod to make
sure ip_conntrack really gets unloaded.
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
prev parent reply other threads:[~2005-09-27 21:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-17 3:01 Intermittent NAT failure when multiple hosts send UDP packets Bernardo Innocenti
2005-09-18 2:40 ` Bernardo Innocenti
2005-09-20 19:35 ` Bernardo Innocenti
2005-09-20 21:15 ` Patrick McHardy
2005-09-21 0:11 ` Bernardo Innocenti
2005-09-27 21:00 ` Bernardo Innocenti [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4339B2F3.5040206@develer.com \
--to=bernie@develer.com \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox