From: Whit Blauvelt <whit@transpect.com>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: netfilter@vger.kernel.org
Subject: Re: Why does ipv6 enabled interfere with ipv4 SNAT?
Date: Mon, 24 Mar 2008 23:57:54 -0400 [thread overview]
Message-ID: <20080325035754.GA16404@transpect.com> (raw)
In-Reply-To: <alpine.LNX.1.10.0803250354390.9368@fbirervta.pbzchgretzou.qr>
On Tue, Mar 25, 2008 at 03:57:49AM +0100, Jan Engelhardt wrote:
> How does it break? Do the counters increase in the nat table at all?
> Do the chain and/or rule counters increase if you add the same rule
> without action? (I.e.:
>
> -t nat -A POSTROUTING -o eth4 -m whatever
> -t nat -A POSTROUTING -o eth4 -m whatever -j SNAT --to xyz
No the counters don't increase. Again, ipv4 Netfilter SNAT does not work if
ipv6 is enabled on the system. It works perfectly if ipv6 is disabled - no
other changes. Do you have any theory about that, at all? It may well be
downstream of the failure to handle /proc assignments correctly for > 4 NICs
on the ipv6 side - understandably most people aren't network admins on my
level running boxes with > 4 NICs so that wouldn't bite that often. That
wouldn't make it not a bug, though.
>> It is a stock kernel, if by that you mean a stock distro kernel -
>> Ubuntu's latest, 2.6.22-14-server.
> Stock vanilla kernel.org kernel.
Why would I want to do that? If you read my orginal post closely, I have no
need for ipv6. It's fine with me to run without it - which works perfectly.
But what I want to do is understand where the fine bug is ... perhaps to
report it to those responsible. Now, it looks pretty obviously like there's
a serious bug in Netfilter here, because how else could anything about the
state of the ipv6 configuration affect the success of ipv4 Netfilter SNAT?
Now, if you can explain, theoretically, why I'm wrong about that, why the
state of the ipv6 configuration should be critical to ipv4 Netfilter SNAT
operation, I'm quite curious. But if you have no idea why the ipv4 Netfilter
SNAT rule fails if-and-only-if ipv6 operation is also enabled on the system,
then please let's see if someone who knows the innards of this stuff better
than either of us can help illuminate the puzzle.
Whit
next prev parent reply other threads:[~2008-03-25 3:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-25 1:28 Why does ipv6 enabled interfere with ipv4 SNAT? Whit Blauvelt
2008-03-25 1:58 ` Jan Engelhardt
2008-03-25 2:44 ` Whit Blauvelt
2008-03-25 2:57 ` Jan Engelhardt
2008-03-25 3:57 ` Whit Blauvelt [this message]
2008-03-25 11:03 ` Jozsef Kadlecsik
2008-03-25 14:25 ` Whit Blauvelt
2008-03-25 15:53 ` Patrick McHardy
2008-03-27 14:10 ` Whit Blauvelt
2008-04-02 10:26 ` Patrick McHardy
2008-03-26 9:45 ` Jozsef Kadlecsik
2008-03-27 14:15 ` Whit Blauvelt
2008-03-26 11:03 ` Pascal Hambourg
2008-03-26 11:12 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080325035754.GA16404@transpect.com \
--to=whit@transpect.com \
--cc=jengelh@computergmbh.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox