Re: Intermittent NAT failure when multiple hosts send UDP packets

From: Bernardo Innocenti
Date: Tue Sep 27 2005 - 16:01:39 EST

Next message: Erik Mouw: "Re: Strange disk corruption with Linux >= 2.6.13"
Previous message: Joel Schopp: "Re: [Lhms-devel] Re: [PATCH 1/9] add defrag flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bernardo Innocenti wrote:
> Patrick McHardy wrote:
>>Bernardo Innocenti wrote:
>>
>>>It's quite hard to trigger, but after it does, packets
>>>are consistently routed with the source IP untranslated.
>>
>>Please try "echo 255 >
>>/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid"
>>and modprobe ipt_LOG to see if conntrack ignores them because
>>of invalid checksums or something.
>
> It doesn't seem to be the case. I only see a few occasional
> errors, probably caused by miserable hosts crawling with worms:

PROBLEM SOLVED! I'm glad to say It's *almost* not a kernel bug,
more like a missing feature.

In my ip-up.local script, I do:

echo "Loading NAT modules:"
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

[...several filtering and QoS rules...]

$iptab -A POSTROUTING -t nat -o $IFNAME -j SNAT --to-source $IPLOCAL

My ip-down.local attempts to do the opposite:

echo "Flushing all current rules:"
$iptab -F
$iptab -F -t nat
echo "Clearing all chains:"
$iptab -X
$iptab -Z
$iptab -X -t nat
$iptab -Z -t nat

echo "Removing NAT modules:"
/sbin/rmmod ip_nat_ftp ip_nat_irc iptable_nat ip_conntrack ip_conntrack_ftp ip_conntrack_irc

Note the order of the modules in the last line: ip_conntrack cannot
be unloaded because it's still being used by ip_conntrack_ftp and
ip_conntrack_irc.

So, whenever the PPP link goes down, ip_conntrack remains loaded with
all connections still being tracked until the timer expires!

If ppp0 goes up again soon enough, the script reloads the ip_nat modules,
but the existing connections are no longer being translated.

Would it be possible to do something at module initialization time
to recover those connections? Meanwhile, I've fixed my rmmod to make
sure ip_conntrack really gets unloaded.

--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Erik Mouw: "Re: Strange disk corruption with Linux >= 2.6.13"
Previous message: Joel Schopp: "Re: [Lhms-devel] Re: [PATCH 1/9] add defrag flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]