[Bug 471] New: UDP stream DNAT problem
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Apr 14 15:27:11 CEST 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=471
Summary: UDP stream DNAT problem
Product: netfilter/iptables
Version: linux-2.6.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge at netfilter.org
ReportedBy: dmitry at trifle.net
Description:
~~~~~~~~~~~~
I've noticed DNAT stopped to work after reloading iptables modules or machine
reboot.
[NetFlow_source]--->--->---[eth0, NAT_box, eth1]--->--->---[NetFlow_collector]
We have a netflow collector behind NAT. NetFlow stream is being generated by
cisco and should be delivered to the
collector. The problem is being contained in conntrack. Conntrack caches udp
stream before DNAT rule is being added. After adding DNAT rule traffic does not
pass DNAT rule, rule counters are zero. Flushing conntrack entries after DNAT
setup solves the problem.
Detailed network setup:
~~~~~~~~~~~~~~~~~~~~~~~
NAT_box: Tested on Debian or Gentoo, kernels 2.6.14 or 2.6.15 or 2.6.16.3.
Kernels are gentoo-patched, debian-patched or
vanilla.
eth0: 192.168.1.72/24
eth1: 10.0.1.1/24
netflow_source: 192.168.1.69/24
netflow_collector: 10.0.1.130/24
example tcpdump stream:
14:27:15.064935 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.161056 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.273498 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.370031 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.471035 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.571517 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.667976 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.771630 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.872698 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.974761 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:16.073875 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
Note there are both src and dst ports are not being changed within time.
How to reproduce the bug:
~~~~~~~~~~~~~~~~~~~~~~~~~
1) reproduce network setup.
2) use hping to emulate netflow stream:
# hping -d 64 -2 -s 11111 -k -p 56789 -i u10000 192.168.1.72
3) start tcpdump on NAT_box and ensure you're receiving traffic
4) ensure no iptables/conntrack/nat relevant modules loaded
5) modprobe ip_conntrack
6) ensure conntrack captured this stream:
# grep 192.168.1.69 /proc/net/ip_conntrack
udp 17 29 src=192.168.1.69 dst=192.168.1.72 sport=11111 dport=56789
packets=115 bytes=10580 [UNREPLIED]
src=192.168.1.72 dst=192.168.1.69 sport=56789 dport=11111 packets=0 bytes=0
mark=0 use=1
7) NOT stopping hping setup DNAT rule:
# iptables -t nat -A PREROUTING -p udp -d 192.168.1.72 --dport 56789 -j DNAT
--to 10.0.1.130
8) run tcpdump on eth1 and see no DNATed packets
9) run 'conntrack -F' or 'ifconfig eth0 down; sleep 60s; ifconfig eth0 up' or
stop hping for a minute. The main idea is
to make this flow expired in conntrack. After this traffic is being DNATed
successfully.
I'm not sure this is NAT related problem, probably it is more conntrack related.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list