Re: [BUG] SNAT sometimes allows packets to pass through unchanged

[Patrick McHardy]

Alan Stern wrote:
> On Mon, 16 Feb 2009, Patrick McHardy wrote:
>
> > > I tried adding a rule to log these unaccounted-for packets.  Nothing 
> > > showed up, even when I could see the packets being sent.
> > Where (table/chain/position) did you add this rule?
>
> In the first position of the POSTROUTING chain in the nat table.  I
> don't remember exactly what rules I used, but at one point I tried
> something very much like this:
>
> iptables -t nat -I POSTROUTING 1 -s 10.0.0.0/8 -p tcp ! --syn
>
> The counter for this rule remained at 0 even after packets with private 
> source addresses were sent through the public interface.

The NAT table only sees the first packet of every connection
and never INVALID packets. The mangle table should work fine.

You can also enable conntrack-internal logging of invalid packets:

echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid

> > Sorry, there were quite a few patches and I don't remember which
> > ones exactly are related.
>
> I tried using 2 6.27 kernel but the problem remained.  Building a later 
> version won't be easy because of the need to create the proper config.  
> Can you remember in which version these bugs got fixed?

Sorry, no.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/