https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c2 --- Comment #2 from Per Jessen 2012-04-09 08:10:19 UTC --- I've now tried with kernel 3.1.0-1.2-default (from vanilla 12.1) - no change. Then I went back to 2.6.25.5-1.1-pae which is what this system was running initially. (dunno why it is pae). With the exact same iptables+routing setup, SNAT'ing now works. iptables+libs are version 1.4.13, and I also installed libnfnetlink0-1.0.0+git28-2.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c3 --- Comment #3 from Per Jessen 2012-04-14 09:04:13 UTC --- This won't probably help much, but due to the issue with overruns mentioned above, I decided to upgrade the firewall hardware. New hardware is now (1U zattoo) 2x1.6GHz, 1024Mb RAM, dual WD SATA drives, 2xGigE + 4x100Mbit/s NICs. At first I installed 11.4 with kernel 2.6.37 - this exhibited the same issue with SNAT'ing as described. Desperate times call for desperate measure, so I now installed openSUSE 11.0, and upgraded iptables etc. to 1.4.13. Again, using the same firewall+masquerading setup, it now works fine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c5 --- Comment #5 from Per Jessen 2012-04-16 11:37:06 UTC --- Network config: eth0 = local, private network IPv4, RFC1918. eth1 = uplink via Lancom ADSL router eth2 = local, public network, IPv4 eth3 = 2nd uplink (fibre), public, DHCP. We will most probably move permanently to the fibre uplink by the end of this week, I'll not be able to reproduce or collect diagnostics after that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c7 --- Comment #7 from Per Jessen 2012-04-18 15:19:19 UTC --- (In reply to comment #6)

Hello Per,

Thank you for posting all this information and your firewall script, that helped narrow it down. You have a few nat rules. Since you mention that the problem concerns SNAT between public networks, I assume the issue is around this rule, is that right? $IPTABLES -A POSTROUTING -t nat -o $FIBREIF -p tcp --dport http -j SNAT --to $FIBREIP

Hi Benjamin yes that is correct. I should have mentioned that.

I believe I've reproduced the observations you report in comment 1 and I've fixed the issue by doing: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter (also make sure that it is 0 for the specific interface, $FIBREIF in this case I think)

This was identified using the TRACE iptables target, `conntrack -E` and `netstat -s` which shows the IPReversePathFilter increasing during the problematic times.

Thanks, that's very helpful. I didn't know about TRACE.

I've got this going on 12.2 so you should be able to upgrade again if you confirm that this fixes the issue for you.

12.2M3 seems to be a bit iffy at the moment, but I'll see if I can get to try it with 12.1 over the weekend. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c9 Benjamin Poirier changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |FIXED --- Comment #9 from Benjamin Poirier 2012-04-20 18:20:52 UTC --- (In reply to comment #8)

Hi Benjamin

I'm sorry, but I won't be able to able to try this out - our new fibre uplink went into production this afternoon.

Ok. I'll close the bug as INVALID for now. If you can reproduce the problem on 12.2 please confirm wether rp_filter fixes it or not and update this bug entry.

However, I noticed that /proc/sys/net/ipv4/conf/all/rp_filter is being set by default by /etc/sysctl.conf, also in openSUSE 11.0. Something odd is going here.

The in kernel default is 0 and it is set to 1 via sysctl. Up to 11.4 (that I can see) the setting is in /etc/sysctl.conf; and from 12.1 onwards it is in /lib/sysctl.d/sysctl.conf. What is odd? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c11 Benjamin Poirier changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |INVALID --- Comment #11 from Benjamin Poirier 2012-04-23 13:18:24 UTC --- 1) It'd be best to double-check the actual value in /proc/sys/net/ipv4/conf/{all,*}/rp_filter and not just the sysctl configuration files. 2) You're right that it would be odd to see a case where it is =1 or =2 and your configuration works. If opensuse 11.0 was current it would be worth investigating - but those days, they are long gone. From what I understand, the behavior we see in 12.2 is correct. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.