Due to Connection Tracking multiple DNAT rules for GRE packets do not get hit

Due to Connection Tracking multiple DNAT rules for GRE packets do not get hit

[Karan]

Hi,

I am trying to do simple round robin load balancing of GRE packets
using iptables 'statistic' extension. I have multiple rules in
sequence that DNAT the packets to specific IPs. But the problem is as
soon as first GRE packet is received and DNATted, connection tracking
makes an entry for it and all the subsequent GRE packets get DNATted
to the same IP. What's more surprising is that, if I see the counters
of the DNAT rule entry, its value stays at one. This implies that all
subsequent packets are getting DNATted because of connection tracking
and not because of DNAT rule. I confirmed this by deleting all the
DNAT rules and surprised to see that packets were still getting
DNATted until I flush the GRE connection from connection tracking.

Here are the details of how I want to achieve load balancing but due
to Connection Tracking I am unable to achieve the same.

iptables -t nat -A PREROUTING -m statitstic -p GRE -d 172.16.96.173
--mode nth --every 2 --packet 0 -j DNAT --to 15.0.0.2

iptables -t nat -A PREROUTING -m statitstic -p GRE -d 172.16.96.173
--mode nth --every 1 --packet 0 -j DNAT --to 15.0.0.3

'172.16.96.173 is the GRE tunnel endpoint which I intend to load balance.'

My intentions are to DNAT GRE packets in a round robin fashion between
15.0.0.2 and 15.0.0.3. I believe my logic is fine but the way DNATted
GRE packets are tracked by netfilter connection tracking it is not
working. What I have understood so far is that, unlike TCP where
source port gets changed frequenlty, all the GRE packets hitting my
router have same source and destination IP and 'GRE key', connection
tracking treats them as packets of same connection. If I keep on
flushing DNAT GRE connecton using conntrack command line, the things
seem to work, BUT is it the only possible SOLUTION ? Please SUGGEST
what am i MISSING and how I can ACHIEVE my goals. I can provide
further details of my setup if needed.


Thanks
Karan Pugla

Re: Due to Connection Tracking multiple DNAT rules for GRE packets do not get hit

[Pascal Hambourg]

Hello,

Karan a écrit :
> 
> I am trying to do simple round robin load balancing of GRE packets
> using iptables 'statistic' extension. I have multiple rules in
> sequence that DNAT the packets to specific IPs. But the problem is as
> soon as first GRE packet is received and DNATted, connection tracking
> makes an entry for it and all the subsequent GRE packets get DNATted
> to the same IP. What's more surprising is that, if I see the counters
> of the DNAT rule entry, its value stays at one. This implies that all
> subsequent packets are getting DNATted because of connection tracking
> and not because of DNAT rule.

Nothing surprising here. This is how stateful NAT are expected to work.
The purpose it to apply the same NAT mapping to all packets belonging to
the same connection. And the GRE connection tracking considers that
packets with the same source and destination address and GRE key belong
to the same connection because this is what is expected most of the times.

> My intentions are to DNAT GRE packets in a round robin fashion between
> 15.0.0.2 and 15.0.0.3.

I'm curious, what do you want to forward packets belonging to the same
GRE connection to different hosts ?

> If I keep on
> flushing DNAT GRE connecton using conntrack command line, the things
> seem to work, BUT is it the only possible SOLUTION ?

This is an awfully ugly hack.

> Please SUGGEST what am i MISSING

See above.

> and how I can ACHIEVE my goals.

You may use packet marking and advanced routing to do the forwarding.
Assuming that 15.0.0.2 and 15.0.0.3 are connected directly to the
forwarding host :

iptables -t nat -A PREROUTING -p GRE -d 172.16.96.173 \
-m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 2

iptables -t nat -A PREROUTING -p GRE -d 172.16.96.173 \
-m statistic --mode nth --every 1 --packet 0 -j MARK --set-mark 3
# note : statistic not needed here

ip rule add fwmark 2 table 102
ip rule add fwmark 3 table 103

ip route add default via 15.0.0.2 table 102
ip route add default via 15.0.0.3 table 103

On 15.0.0.2 and 15.0.0.3, you add a DNAT or REDIRECT rule :

iptables -t nat -A PREROUTING -p GRE -d 172.16.96.173 -j REDIRECT