>For security reasons, I upgraded to 2.4.23 last night. Now, suddenly, IP
>masquerading seems to be broken. When I use SNAT instead of
>masquerading, everything works.
>
>Unfortunately, I think it's hard to reproduce the problem. Right after
>booting .23 for the first time, everything seemed to be okay. The
>problems started just an hour ago, after having the server running for
>fifteen hours without any problems.
>
>Unfortunately there's not much more information I can provide. I can
>attach my iptables/rule/route file and keep my machine running in case
>anyone needs/wants more information. For now I'll just stick with SNAT.
>It works good enough for me.
>
>
Can you check the ringbuffer for error messages ? What happens
to the packets when masquerading fails ?
Best regards,
Patrick
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Dec 2 16:42:30 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:44 tosca last message repeated 11 times
Dec 2 16:42:47 tosca kernel: NET: 1 messages suppressed.
Dec 2 16:42:47 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:51 tosca kernel: NET: 5 messages suppressed.
Dec 2 16:42:51 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:57 tosca kernel: NET: 4 messages suppressed.
Dec 2 16:42:57 tosca kernel: MASQUERADE: Route sent us somewhere else.
And, well, it goes on like that. dmesg is full of messages like this.
The packages seem to get lost completely. At least I don't see them
going out on eth1 (where they should go to).
Wilmer van der Gaast.
--
+-------- .''`. - -- ---+ + - -- --- ---- ----- ------+
| lintux : :' : lintux.cx | | OSS Programmer www.bitlbee.org |
| at `. `~' debian.org | | www.algoritme.nl www.lintux.cx |
+--- -- - ` ---------------+ +------ ----- ---- --- -- - +
-
>Dec 2 16:42:57 tosca kernel: NET: 4 messages suppressed.
>Dec 2 16:42:57 tosca kernel: MASQUERADE: Route sent us somewhere else.
>
>And, well, it goes on like that. dmesg is full of messages like this.
>
>The packages seem to get lost completely. At least I don't see them
>going out on eth1 (where they should go to).
>
>
>
It may be related to using advances routing features ..
Can you give information about the specific IPs ? Is it local traffic ?
Thanks,
Also, traffic to 130.89.*.* from any host is routed to eth1 correctly
and "even" works.
So, in short:
192.168.9.10 -=> 130.89.1.1 works, through eth1
192.168.9.11 -=> 130.89.1.1 works, through eth1
192.168.9.10 -=> www.google.com doesn't work
192.168.9.11 -=> www.google.com works, through hensema (which is what I want)
Also, trying to ping www.google.com through eth1 (hensema is the default
interface) from the bugging machine directly works.
I hope this clarifies something... If not, I can do some more testing
tomorrow.
Greetings,
This seems to be the same as
http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html
and https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144
I've committed the proposed fix (from #144) into patch-o-matic/pending.
Comments?
> Patrick
Patrick,
--
- Harald Welte <laf...@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
>This seems to be the same as
>http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html
>and https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144
>
>I've committed the proposed fix (from #144) into patch-o-matic/pending.
>
>Comments?
>
>
I don't know if reverting to 2.4.22 is the correct fix, the change was made after this
mail from Alexey http://marc.theaimsgroup.com/?l=linux-net&m=105915597804604&w=2 ,
he states that giving out ifindex is a bug. I don't understand the problem yet but I'm
looking into it.
BTW: Why do we need a route lookup at all ? Couldn't we just use the first address on
dev->in_dev->ifa_list ?
> BTW: Why do we need a route lookup at all ? Couldn't we just use the
> first address on dev->in_dev->ifa_list ?
>
I've attached two patches (2.4+2.6) to the bugtracker which change
MASQUERADE to use indev->ifa_list->ifa_local. The 2.6 version is
running here without problems so far. Please have a look at
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144 .