[Bug 756200] New: iptables snat/masquerading not working with kernel 3.3.0
https://bugzilla.novell.com/show_bug.cgi?id=756200 https://bugzilla.novell.com/show_bug.cgi?id=756200#c0 Summary: iptables snat/masquerading not working with kernel 3.3.0 Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: i586 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: per@opensuse.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Hardware: stand-alone firewall system, PIII 800MHZ (minerva), 512Mb RAM. This is a production firewall box, I'm unlikely to be able to retrieve diagnostics or do many further tests. Due to a problem with network interface overruns: http://lists.opensuse.org/opensuse/2012-04/msg00185.html I decided to move up to kernel 3.3.0 (-2-default) from factory. After also upgrading iptables, I kept having troubles getting masquerading/snat'ing to work again. Googling found a couple of people complaining about the same: http://ask.fedoraproject.org/question/1429/port-forwarding-with-kernel-330-n... http://www.fedoraforum.de/viewtopic.php?f=6&p=124882 I've been troubleshooting this for a couple of days, and can only conclude that SNAT'ing/masquerading simply doesn't work with this kernel. I'll probably try an older kernel (3.1.0) to see if that makes a difference. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c1
--- Comment #1 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c2
--- Comment #2 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c3
--- Comment #3 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c4
--- Comment #4 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c5
--- Comment #5 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c6
Benjamin Poirier
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c7
--- Comment #7 from Per Jessen
Hello Per,
Thank you for posting all this information and your firewall script, that helped narrow it down. You have a few nat rules. Since you mention that the problem concerns SNAT between public networks, I assume the issue is around this rule, is that right? $IPTABLES -A POSTROUTING -t nat -o $FIBREIF -p tcp --dport http -j SNAT --to $FIBREIP
Hi Benjamin yes that is correct. I should have mentioned that.
I believe I've reproduced the observations you report in comment 1 and I've fixed the issue by doing: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter (also make sure that it is 0 for the specific interface, $FIBREIF in this case I think)
This was identified using the TRACE iptables target, `conntrack -E` and `netstat -s` which shows the IPReversePathFilter increasing during the problematic times.
Thanks, that's very helpful. I didn't know about TRACE.
I've got this going on 12.2 so you should be able to upgrade again if you confirm that this fixes the issue for you.
12.2M3 seems to be a bit iffy at the moment, but I'll see if I can get to try it with 12.1 over the weekend. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c8
Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c9
Benjamin Poirier
Hi Benjamin
I'm sorry, but I won't be able to able to try this out - our new fibre uplink went into production this afternoon.
Ok. I'll close the bug as INVALID for now. If you can reproduce the problem on 12.2 please confirm wether rp_filter fixes it or not and update this bug entry.
However, I noticed that /proc/sys/net/ipv4/conf/all/rp_filter is being set by default by /etc/sysctl.conf, also in openSUSE 11.0. Something odd is going here.
The in kernel default is 0 and it is set to 1 via sysctl. Up to 11.4 (that I can see) the setting is in /etc/sysctl.conf; and from 12.1 onwards it is in /lib/sysctl.d/sysctl.conf. What is odd? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c10
--- Comment #10 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=756200
https://bugzilla.novell.com/show_bug.cgi?id=756200#c11
Benjamin Poirier
participants (1)
-
bugzilla_noreply@novell.com