DNAT problem

Pascal Hambourg pascal.mail at plouf.fr.eu.org
Mon Oct 2 15:14:41 CEST 2006 

Stefan Friedel a écrit :
> 
>>OK, SNAT and DNAT do not support multiple --to any more in kernels above 
>>2.6.10. But it is unclear to me whether they still support one IP 
>>address *range* (with round robin) or only one single IP address.
> 
> The range is still accepted as option for iptables 1.3.6, but it has no effect
> with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
> which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
> the DNAT target in PREROUTING -

One question : did you test this from only one single source IP address 
of from several source IP addresses ? SAME is designed to always give 
the same mapping to a given source address, and it seems that DNAT/SNAT 
do the same in kernels >= 2.6.11.

I remember reading something about this in kernel 2.6.11 changelog :
=======================================================================
   [PATCH] Remove Randomness in Selecting NAT IP Address

   We currently choose a "random" IP address to NAT to, where we have a
   range.  Martin Josefsson pointed out that he uses the SAME target in
   iptables because changing IP addresses breaks Internet banking sites
   (among others) which assume the customer will be coming from a
   consistent IP address.
   In fact, we spend a fair bit of effort trying to balance the number of
   connections we NAT to each IP address.  We can come pretty damn close
   just hashing the source and destination IP addresses, and it has the
   consistency property which is so desirable, as well as being faster.
========================================================================

I believe that with this patch the SNAT and DNAT targets behave in a way 
like the SAME target and always use the same mapping in the --to range 
for a given source IP address. However, when a range is specified, 
different sources may use different mappings. But it won't be a dynamic 
round robin, just a static hash. However I believe that when there are 
many different source addresses it can achieve some kind of load balancing.

>>What about the BALANCE target ? It's in the man page, but I had never 
>>heard of it.
> 
> In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
> source). Obsolete? And I fear that it would not help, because the problem is
> the missing round robin/load balancing in the Kernel.

I don't think so. Each target has its own code.

More information about the netfilter mailing list