Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, I have a bit complex iptables+nat+mangle+vlan's setup within my box working perfectly with 2.6.30 and previous kernel versions. However, If I boot 2.6.31 then one of the capabilities stops ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 11-07-2009 #1
    luispa
    luispa is offline
    Just Joined!
    Join Date
    Nov 2009
    Posts
    1

    2.6.31 iptables ignores reply pkt at interface SNAT+VLAN

    Hi, I have a bit complex iptables+nat+mangle+vlan's setup within my box working perfectly with 2.6.30 and previous kernel versions. However, If I boot 2.6.31 then one of the capabilities stops working.

    Replay packet's are silently ignored "only" at the interface doing SNAT+vlan. Rest of actions: iptables, nat, mangle's, policy based routing and NAT (no vlan) are working perfectly. To simplify the problem, here is the relevant setup and config:

    Code:
     
["uid 1500" wget from 99.0.0.9]
     |
LOCALHOST(10.0.0.1)vlan400  ==== (10.0.0.2)ROUTER ==== "MyPrivate" host(99.0.0.9)
    Code:
    # echo "100 MyPrivate" >> /etc/iproute2/rt_tables
# ip route add 10.0.0.1/24 dev vlan400 table MyPrivate
# ip route add 99.0.0.0/8 via 10.0.0.2 table MyPrivate
# iptables -A OUTPUT -t mangle -m owner --uid-owner 1500 -j MARK --set-mark 1500
# ip rule add fwmark 1500 table MyPrivate
# iptables -t nat -A POSTROUTING -o vlan400 -j SNAT --to-source 10.0.0.1
# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    With this setup, all network traffic originated by user id 1500 should check first the "MyPrivate" table and if destination is 99.0.0.9 then send it out through vlan400 interface and perform source NAT.

    Starts ok, traffic goes out on "vlan400" and remote host reply is correct, but then it stops. My localhost is not sending the last ACK, looks like it never sees the reply (SYN, ACK)

    Code:
    $ (running uid 1500)
$ wget from 99.0.0.9
:
10.0.0.1 SYN -->
                   <-- SYN, ACK 99.0.0.9
    Just booting back with 2.6.30 starts working perfect again.

    I've made lots of tests, googled, etc. but couldn't find anything, only some references to some issues corrected on 2.6.31 regarding NAT and connection tracking, but none similar to mine. Iptables version is not the problem, used 1.4.2, 1.4.3, 1.4.5 and allways works with kernel < 2.6.31.

    Anybody knows if something important has been changed with 2.6.31? any idea?

    Thanks in advance,
    Luis
    Reply With Quote Reply With Quote
  2. 12-16-2009 #2
    Mobster
    Mobster is offline
    Just Joined!
    Join Date
    Dec 2009
    Posts
    3
    I am seeing the same issue with kernel 2.6.31 on openSuse 11.2. Has anyone else seen (and hopefully resolved!) this? Thanks in advance for any help.
    Reply With Quote Reply With Quote
  3. 12-18-2009 #3
    Mobster
    Mobster is offline
    Just Joined!
    Join Date
    Dec 2009
    Posts
    3

    solved

    The issue is the /proc/sys/net/ipv4/conf/X/rp_filter file where X is "all", "default", or an interface name. Echoing 0 into this file made everything work fine under Kernel 2.6.31, echoing 1 (which is what was in rp_filter for X=default) produces the problem. Apparently the use of this file changed with kernel 2.6.31 that caused my problem.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules