Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[Florian Mickler]

Can someone take a look at this regression?

Begin forwarded message:

Date: Thu, 28 Jul 2011 04:51:12 GMT
From: bugzilla-daemon@bugzilla.kernel.org
To: florian@mickler.org
Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
broken.


https://bugzilla.kernel.org/show_bug.cgi?id=39132


Francis Whittle <FJ.Whittle@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |FJ.Whittle@gmail.com




--- Comment #18 from Francis Whittle <FJ.Whittle@gmail.com>  2011-07-28
04:50:56 --- Similar story here, bug is still present in v3.0

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[Julian Anastasov]

	Hello,

On Thu, 4 Aug 2011, Florian Mickler wrote:

> Can someone take a look at this regression?
> 
> Begin forwarded message:
> 
> Date: Thu, 28 Jul 2011 04:51:12 GMT
> From: bugzilla-daemon@bugzilla.kernel.org
> To: florian@mickler.org
> Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> broken.
> 
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=39132

	So, problem points again to
"Fix ip_route_me_harder triggering ip_rt_bug" ? May be
David C. Hill or Florian can provide some information, eg. is
tproxy used, what NAT rules are used, any rules in OUTPUT
hooks (NAT/mangle) and which packets are dropped.

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[Florian Mickler]

On Thu, 4 Aug 2011 21:38:48 +0300 (EEST)
Julian Anastasov <ja@ssi.bg> wrote:

> 
> 	Hello,
> 
> On Thu, 4 Aug 2011, Florian Mickler wrote:
> 
> > Can someone take a look at this regression?
> > 
> > Begin forwarded message:
> > 
> > Date: Thu, 28 Jul 2011 04:51:12 GMT
> > From: bugzilla-daemon@bugzilla.kernel.org
> > To: florian@mickler.org
> > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> > broken.
> > 
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=39132
> 
> 	So, problem points again to
> "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> David C. Hill or Florian can provide some information, eg. is
> tproxy used, what NAT rules are used, any rules in OUTPUT
> hooks (NAT/mangle) and which packets are dropped.
> 
> Regards
> 
> --
> Julian Anastasov <ja@ssi.bg>

That would have to come from David C. Hill, since I'm not expiriencing
this bug. 

Regards,
Flo

p.s.: I added the bugzilla daemon to the cc in the hope that this mail
will land as a comment in there. 

Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[David Hill]

Hello Julian,

    I'm not using TPROXY and I've used a blank firewall with only 
masquerading and reproduced the issue.
Nothing is in NAT/mangle nor OUTPUT  but the rules mentionned in the 
attached files to this bug.

 Francis Whittle  (Comment #18) has the same issue.

Thank you ,

Dave


----- Original Message ----- 
From: "Julian Anastasov" <ja@ssi.bg>
To: "Florian Mickler" <florian@mickler.org>
Cc: <hilld@binarystorm.net>; <netdev@vger.kernel.org>; "David Miller" 
<davem@davemloft.net>
Sent: Thursday, August 04, 2011 2:38 PM
Subject: Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to 
be broken.


>
> Hello,
>
> On Thu, 4 Aug 2011, Florian Mickler wrote:
>
>> Can someone take a look at this regression?
>>
>> Begin forwarded message:
>>
>> Date: Thu, 28 Jul 2011 04:51:12 GMT
>> From: bugzilla-daemon@bugzilla.kernel.org
>> To: florian@mickler.org
>> Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
>> broken.
>>
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=39132
>
> So, problem points again to
> "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> David C. Hill or Florian can provide some information, eg. is
> tproxy used, what NAT rules are used, any rules in OUTPUT
> hooks (NAT/mangle) and which packets are dropped.
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1390 / Virus Database: 1518/3810 - Release Date: 08/04/11
> 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[Julian Anastasov]

	Hello,

On Fri, 5 Aug 2011, David Hill wrote:

>    I'm not using TPROXY and I've used a blank firewall with only masquerading
> and reproduced the issue.
> Nothing is in NAT/mangle nor OUTPUT  but the rules mentionned in the attached
> files to this bug.
> 
> Francis Whittle  (Comment #18) has the same issue.

	I compiled 3.0 kernel, added one -j MASQUERADE and
tried TCP connection - it works. I'm not sure ip_route_me_harder
is called for masqueraded traffic, usually it is called
from LOCAL_OUT handlers or to send TCP RST (-j REJECT) via
LOCAL_OUT, not for forwarded traffic.

	Can you show lines of tcpdump output with addresses and
ports, so that I can understand what kind of traffic is
dropped, is it initial forwarded packet or its response,
is it problem with some ICMP packets, I assume there is
no problem with locally generated traffic.

	Can you show output from:

# grep . /proc/sys/net/ipv4/conf/*/rp_filter
# grep . /proc/sys/net/ipv4/conf/*/send_redirects

	If it works with -rc5 it should not be rp_filter,
for NAT, problem can be with ICMP redirects or something else.
Can you tell us if the internal and external devices are
same or may be many.

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.

[Julian Anastasov]

	Hello,

On Fri, 5 Aug 2011, David Hill wrote:

> Hello Julian,
> 
>    I'm not using TPROXY and I've used a blank firewall with only masquerading
> and reproduced the issue.
> Nothing is in NAT/mangle nor OUTPUT  but the rules mentionned in the attached
> files to this bug.
> 
> Francis Whittle  (Comment #18) has the same issue.
> 
> > Hello,
> > 
> > On Thu, 4 Aug 2011, Florian Mickler wrote:
> > 
> > > Can someone take a look at this regression?
> > > 
> > > Begin forwarded message:
> > > 
> > > Date: Thu, 28 Jul 2011 04:51:12 GMT
> > > From: bugzilla-daemon@bugzilla.kernel.org
> > > To: florian@mickler.org
> > > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> > > broken.
> > > 
> > > 
> > > https://bugzilla.kernel.org/show_bug.cgi?id=39132
> > 
> > So, problem points again to
> > "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> > David C. Hill or Florian can provide some information, eg. is
> > tproxy used, what NAT rules are used, any rules in OUTPUT
> > hooks (NAT/mangle) and which packets are dropped.

	May be it is a sequence of two problems. I now
checked the tcpdump log from Francis Whittle. The
"seq 352:1792" packet at 18:44:29.235154 that is not
SNAT-ed is long, can it be some PMTU event that triggers
ICMP response to the internal host? Because I see changes
in MSS. May be rc5 triggers ICMP FRAG NEEDED while rc6
does not. It can happen because:

1. ICMP uses non-local iph->saddr when XFRM is compiled,
reverse lookup fails with ENOENT but fl4->saddr is
already damaged with the original daddr (non-local).

	Fix is here: http://marc.info/?t=131118984300003&r=1&w=2

2. The patched ip_route_me_harder between 3.0-rc5 and
3.0-rc6 expects that sockets always provide local address.
This is wrong for some cases such as TCP (uses different
SOCK_RAW socket for some packets and can cause problem
for tproxy), RAW (can use spoofed sources) and now the
ICMP code that incorrectly provides non-local address.

	Fix is here: http://marc.info/?t=131274411600001&r=1&w=2

	I hope (any of) these two fixes should solve the
masquerading problems. If that is not true, tcpdump from rc5
would be helpful for comparison.

Regards

--
Julian Anastasov <ja@ssi.bg>