[Bug 473] New: 2.6.16.x translates addresses of RELATED packets incorrectly

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu May 11 16:00:42 CEST 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=473

           Summary: 2.6.16.x translates addresses of RELATED packets
                    incorrectly
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: tomasz.lemiech at matrix.pl


Consider the following simple scenario (all subnets are /24):

   host1 <------> router/firewall <------> host2
10.0.0.1        10.0.0.2/192.168.91.222    192.168.91.202

Both host1 and host2 have default routes via router box. Let's do some pure
routing (ie. no netfilter rules):

host1:~# tcptraceroute 192.168.91.202 223
Tracing the path to 192.168.91.202 on TCP port 223, 30 hops max
 1  10.0.0.2  0.404 ms  0.166 ms  0.141 ms
 2  192.168.91.202 [closed]  0.436 ms  0.376 ms  0.322 ms

Now let's add some NAT on router/fw:

root at router:~# iptables -t nat -A PREROUTING -p tcp -d 192.168.91.202 --dport
223 -j DNAT --to-destination 192.168.91.202:224

The traceroute output is quite different now:

host1:~# tcptraceroute 192.168.91.202 223
Selected device eth1, address 10.0.0.1, port 51146 for outgoing packets
Tracing the path to 192.168.91.202 on TCP port 223, 30 hops max
 1  192.168.91.202  0.416 ms  0.161 ms  0.140 ms
 2  192.168.91.202 [closed]  0.423 ms  0.340 ms  0.331 ms

Indeed, ICMP packets generated by router got their source address translated to
the address of host2 - tcpdumping on host1 gives:

14:21:40.188036 IP (tos 0x0, ttl   1, id 11043, offset 0, flags [none], length:
40) 10.0.0.1.47825 > 192.168.91.202.223: S [tcp sum ok] 1355768057:1355768057(0)
win 0
14:21:40.188258 IP (tos 0xc0, ttl  64, id 28403, offset 0, flags [none], length:
68) 192.168.91.202 > 10.0.0.1: icmp 48: time exceeded in-transit
14:21:40.189829 IP (tos 0x0, ttl   2, id 60378, offset 0, flags [none], length:
40) 10.0.0.1.47825 > 192.168.91.202.223: S [tcp sum ok] 1355768057:1355768057(0)
win 0
14:21:40.190233 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], length: 40)
192.168.91.202.223 > 10.0.0.1.47825: R [tcp sum ok] 0:0(0) ack 1355768058 win 0

This is fully reproducible on vanilla 2.6.16.14. I also checked 2.6.15.4 and
2.6.14.3 - they work as expected (ie. tcptraceroute output is the same in both
cases).

Kernel config files are available at http://szpajder.w.staszic.waw.pl/netfilter/

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list