Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

2.4.23 masquerading broken?

0 views
Skip to first unread message

Patrick McHardy

unread,
Dec 2, 2003, 12:30:23 PM12/2/03
to
Wilmer van der Gaast wrote:

>For security reasons, I upgraded to 2.4.23 last night. Now, suddenly, IP
>masquerading seems to be broken. When I use SNAT instead of
>masquerading, everything works.
>
>Unfortunately, I think it's hard to reproduce the problem. Right after
>booting .23 for the first time, everything seemed to be okay. The
>problems started just an hour ago, after having the server running for
>fifteen hours without any problems.
>
>Unfortunately there's not much more information I can provide. I can
>attach my iptables/rule/route file and keep my machine running in case
>anyone needs/wants more information. For now I'll just stick with SNAT.
>It works good enough for me.
>
>

Can you check the ringbuffer for error messages ? What happens
to the packets when masquerading fails ?

Best regards,
Patrick

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Wilmer van der Gaast

unread,
Dec 2, 2003, 12:40:47 PM12/2/03
to
Patrick McHardy (ka...@trash.net) wrote:
> Can you check the ringbuffer for error messages ? What happens
> to the packets when masquerading fails ?
>
Hmm. Damn, forgot about the syslogs completely. :-(

Dec 2 16:42:30 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:44 tosca last message repeated 11 times
Dec 2 16:42:47 tosca kernel: NET: 1 messages suppressed.
Dec 2 16:42:47 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:51 tosca kernel: NET: 5 messages suppressed.
Dec 2 16:42:51 tosca kernel: MASQUERADE: Route sent us somewhere else.
Dec 2 16:42:57 tosca kernel: NET: 4 messages suppressed.
Dec 2 16:42:57 tosca kernel: MASQUERADE: Route sent us somewhere else.

And, well, it goes on like that. dmesg is full of messages like this.

The packages seem to get lost completely. At least I don't see them
going out on eth1 (where they should go to).


Wilmer van der Gaast.

--
+-------- .''`. - -- ---+ + - -- --- ---- ----- ------+
| lintux : :' : lintux.cx | | OSS Programmer www.bitlbee.org |
| at `. `~' debian.org | | www.algoritme.nl www.lintux.cx |
+--- -- - ` ---------------+ +------ ----- ---- --- -- - +

snpe

unread,
Dec 2, 2003, 4:00:37 PM12/2/03
to
It work for me
(2.4.23 with linux abi, gcc 3.2 from RedHat 8.0 - netfilter like modules)
regards
Haris Peco

On Tuesday 02 December 2003 05:33 pm, Wilmer van der Gaast wrote:
> Patrick McHardy (ka...@trash.net) wrote:
> > Can you check the ringbuffer for error messages ? What happens
> > to the packets when masquerading fails ?
>
> Hmm. Damn, forgot about the syslogs completely. :-(
>
> Dec 2 16:42:30 tosca kernel: MASQUERADE: Route sent us somewhere else.
> Dec 2 16:42:44 tosca last message repeated 11 times
> Dec 2 16:42:47 tosca kernel: NET: 1 messages suppressed.
> Dec 2 16:42:47 tosca kernel: MASQUERADE: Route sent us somewhere else.
> Dec 2 16:42:51 tosca kernel: NET: 5 messages suppressed.
> Dec 2 16:42:51 tosca kernel: MASQUERADE: Route sent us somewhere else.
> Dec 2 16:42:57 tosca kernel: NET: 4 messages suppressed.
> Dec 2 16:42:57 tosca kernel: MASQUERADE: Route sent us somewhere else.
>
> And, well, it goes on like that. dmesg is full of messages like this.
>
> The packages seem to get lost completely. At least I don't see them
> going out on eth1 (where they should go to).
>
>
> Wilmer van der Gaast.

-

Patrick McHardy

unread,
Dec 2, 2003, 6:40:15 PM12/2/03
to
Wilmer van der Gaast wrote:

>Dec 2 16:42:57 tosca kernel: NET: 4 messages suppressed.
>Dec 2 16:42:57 tosca kernel: MASQUERADE: Route sent us somewhere else.
>
>And, well, it goes on like that. dmesg is full of messages like this.
>
>The packages seem to get lost completely. At least I don't see them
>going out on eth1 (where they should go to).
>
>
>

It may be related to using advances routing features ..
Can you give information about the specific IPs ? Is it local traffic ?

Thanks,

Wilmer van der Gaast

unread,
Dec 2, 2003, 7:50:13 PM12/2/03
to
Patrick McHardy (ka...@trash.net) wrote:
> It may be related to using advances routing features ..
> Can you give information about the specific IPs ? Is it local traffic ?
>
It happens when a packet to a host outside 130.89.*.* is routed through
the eth1 (130.89.203.37) interface. That happens with any traffic not
from .9.11 or .9.13. .9.11 and .9.13 don't have any problems, their
traffic is routed to the other Internet interface without any problems.

Also, traffic to 130.89.*.* from any host is routed to eth1 correctly
and "even" works.

So, in short:

192.168.9.10 -=> 130.89.1.1 works, through eth1
192.168.9.11 -=> 130.89.1.1 works, through eth1
192.168.9.10 -=> www.google.com doesn't work
192.168.9.11 -=> www.google.com works, through hensema (which is what I want)

Also, trying to ping www.google.com through eth1 (hensema is the default
interface) from the bugging machine directly works.

I hope this clarifies something... If not, I can do some more testing
tomorrow.


Greetings,

Harald Welte

unread,
Jan 10, 2004, 5:10:10 PM1/10/04
to
On Tue, Dec 02, 2003 at 06:25:22PM +0100, Patrick McHardy wrote:
> Wilmer van der Gaast wrote:
>
> >For security reasons, I upgraded to 2.4.23 last night. Now, suddenly, IP
> >masquerading seems to be broken. When I use SNAT instead of
> >masquerading, everything works.
> >
> >Unfortunately, I think it's hard to reproduce the problem. Right after
> >booting .23 for the first time, everything seemed to be okay. The
> >problems started just an hour ago, after having the server running for
> >fifteen hours without any problems.
> >
> >Unfortunately there's not much more information I can provide. I can
> >attach my iptables/rule/route file and keep my machine running in case
> >anyone needs/wants more information. For now I'll just stick with SNAT.
> >It works good enough for me.

This seems to be the same as
http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html
and https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144

I've committed the proposed fix (from #144) into patch-o-matic/pending.

Comments?

> Patrick

Patrick,

--
- Harald Welte <laf...@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie

signature.asc

Patrick McHardy

unread,
Jan 11, 2004, 5:50:10 AM1/11/04
to
Harald Welte wrote:

>This seems to be the same as
>http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html
>and https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144
>
>I've committed the proposed fix (from #144) into patch-o-matic/pending.
>
>Comments?
>
>

I don't know if reverting to 2.4.22 is the correct fix, the change was made after this
mail from Alexey http://marc.theaimsgroup.com/?l=linux-net&m=105915597804604&w=2 ,
he states that giving out ifindex is a bug. I don't understand the problem yet but I'm
looking into it.

BTW: Why do we need a route lookup at all ? Couldn't we just use the first address on
dev->in_dev->ifa_list ?

Patrick McHardy

unread,
Jan 11, 2004, 7:20:17 AM1/11/04
to
Patrick McHardy wrote:

> BTW: Why do we need a route lookup at all ? Couldn't we just use the
> first address on dev->in_dev->ifa_list ?
>

I've attached two patches (2.4+2.6) to the bugtracker which change
MASQUERADE to use indev->ifa_list->ifa_local. The 2.6 version is
running here without problems so far. Please have a look at
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144 .

0 new messages