SNAT round-robin broken?
KOVACS Krisztian
hidden at sch.bme.hu
Mon Feb 13 22:30:45 CET 2006
Hi,
On Monday 13 February 2006 22:01, Khoa Nguyen wrote:
> Before 2.6.11 kernel, the SNAT box was mapping every new socket from
> the Client to a new source IP address. With this, I was able to
> simulate several thousands "virtual" clients. Now with the new
> behaviour, every socket from the Client to the Server is mapped to the
> same random but fixed source IP address. I am sure the new NAT
> implementation is better and cleaner than the old one, but it also
> takes away a nice round-robin feature per socket. Is there any way I
> can achieve the previous behaviour without modifying the kernel source
> code :-( or downgrading to a pre-2.6.11 kernel? (I am writing some
> ip_conntrack/ip_nat modules based on the new 2.6.11+ API, so
> downgrading the kernel is going to be painful)
I see. Well, I don't think this is possible without modifying the kernel
source. However, you could try either modifying the client to use
different IP addresses (by configuring a few thousand IP addresses to the
client and having the client bind() to different IP addresses), or
modifying the kernel to do what you'd like.
I think both of these should be relatively easy (in case you have access
to the client source code). About the kernel: take a look at
find_best_ips_proto() in ip_nat_core.c. At the end of the function
there's a jhash_2words() call, this is responsible for choosing an IP
inside the address range specified. You could easily modify it to produce
a hash value based on the (src, src port, dst) tuple instead of just
(src, dst).
--
KOVACS Krisztian
More information about the netfilter
mailing list