SNAT round-robin broken?
khoa.coffee at gmail.com
Wed Feb 15 22:47:27 CET 2006
On 2/13/06, KOVACS Krisztian <hidden at sch.bme.hu> wrote:
> > Before 2.6.11 kernel, the SNAT box was mapping every new socket from
> > the Client to a new source IP address. With this, I was able to
> > simulate several thousands "virtual" clients. Now with the new
> > behaviour, every socket from the Client to the Server is mapped to the
> > same random but fixed source IP address.
> > ... Is there any way I can achieve the previous behaviour without modifying the kernel
> > source code :-( or downgrading to a pre-2.6.11 kernel?
> I see. Well, I don't think this is possible without modifying the kernel
> About the kernel: take a look at
> find_best_ips_proto() in ip_nat_core.c. At the end of the function
> there's a jhash_2words() call, this is responsible for choosing an IP
> inside the address range specified. You could easily modify it to produce
> a hash value based on the (src, src port, dst) tuple instead of just
> (src, dst).
> KOVACS Krisztian
Thanks for your suggestion. I modified the kernel source with
jhash_3words(src, port, dst) and now my SNAT box is snat'in per
socket. Very cool!
More information about the netfilter