* Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
@ 2011-08-04 17:31 Florian Mickler
2011-08-04 18:38 ` Julian Anastasov
0 siblings, 1 reply; 6+ messages in thread
From: Florian Mickler @ 2011-08-04 17:31 UTC (permalink / raw)
To: netdev; +Cc: David Miller
Can someone take a look at this regression?
Begin forwarded message:
Date: Thu, 28 Jul 2011 04:51:12 GMT
From: bugzilla-daemon@bugzilla.kernel.org
To: florian@mickler.org
Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
broken.
https://bugzilla.kernel.org/show_bug.cgi?id=39132
Francis Whittle <FJ.Whittle@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |FJ.Whittle@gmail.com
--- Comment #18 from Francis Whittle <FJ.Whittle@gmail.com> 2011-07-28
04:50:56 --- Similar story here, bug is still present in v3.0
--
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
2011-08-04 17:31 Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken Florian Mickler
@ 2011-08-04 18:38 ` Julian Anastasov
2011-08-04 19:12 ` Florian Mickler
2011-08-05 4:09 ` Fw: " David Hill
0 siblings, 2 replies; 6+ messages in thread
From: Julian Anastasov @ 2011-08-04 18:38 UTC (permalink / raw)
To: Florian Mickler; +Cc: hilld, netdev, David Miller
Hello,
On Thu, 4 Aug 2011, Florian Mickler wrote:
> Can someone take a look at this regression?
>
> Begin forwarded message:
>
> Date: Thu, 28 Jul 2011 04:51:12 GMT
> From: bugzilla-daemon@bugzilla.kernel.org
> To: florian@mickler.org
> Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> broken.
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=39132
So, problem points again to
"Fix ip_route_me_harder triggering ip_rt_bug" ? May be
David C. Hill or Florian can provide some information, eg. is
tproxy used, what NAT rules are used, any rules in OUTPUT
hooks (NAT/mangle) and which packets are dropped.
Regards
--
Julian Anastasov <ja@ssi.bg>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
2011-08-04 18:38 ` Julian Anastasov
@ 2011-08-04 19:12 ` Florian Mickler
2011-08-05 4:09 ` Fw: " David Hill
1 sibling, 0 replies; 6+ messages in thread
From: Florian Mickler @ 2011-08-04 19:12 UTC (permalink / raw)
To: Julian Anastasov; +Cc: hilld, netdev, David Miller, bugzilla-daemon
On Thu, 4 Aug 2011 21:38:48 +0300 (EEST)
Julian Anastasov <ja@ssi.bg> wrote:
>
> Hello,
>
> On Thu, 4 Aug 2011, Florian Mickler wrote:
>
> > Can someone take a look at this regression?
> >
> > Begin forwarded message:
> >
> > Date: Thu, 28 Jul 2011 04:51:12 GMT
> > From: bugzilla-daemon@bugzilla.kernel.org
> > To: florian@mickler.org
> > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> > broken.
> >
> >
> > https://bugzilla.kernel.org/show_bug.cgi?id=39132
>
> So, problem points again to
> "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> David C. Hill or Florian can provide some information, eg. is
> tproxy used, what NAT rules are used, any rules in OUTPUT
> hooks (NAT/mangle) and which packets are dropped.
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
That would have to come from David C. Hill, since I'm not expiriencing
this bug.
Regards,
Flo
p.s.: I added the bugzilla daemon to the cc in the hope that this mail
will land as a comment in there.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
2011-08-04 18:38 ` Julian Anastasov
2011-08-04 19:12 ` Florian Mickler
@ 2011-08-05 4:09 ` David Hill
2011-08-05 15:16 ` Julian Anastasov
2011-08-15 15:27 ` Julian Anastasov
1 sibling, 2 replies; 6+ messages in thread
From: David Hill @ 2011-08-05 4:09 UTC (permalink / raw)
To: Julian Anastasov, Florian Mickler; +Cc: netdev, David Miller
Hello Julian,
I'm not using TPROXY and I've used a blank firewall with only
masquerading and reproduced the issue.
Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the
attached files to this bug.
Francis Whittle (Comment #18) has the same issue.
Thank you ,
Dave
----- Original Message -----
From: "Julian Anastasov" <ja@ssi.bg>
To: "Florian Mickler" <florian@mickler.org>
Cc: <hilld@binarystorm.net>; <netdev@vger.kernel.org>; "David Miller"
<davem@davemloft.net>
Sent: Thursday, August 04, 2011 2:38 PM
Subject: Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to
be broken.
>
> Hello,
>
> On Thu, 4 Aug 2011, Florian Mickler wrote:
>
>> Can someone take a look at this regression?
>>
>> Begin forwarded message:
>>
>> Date: Thu, 28 Jul 2011 04:51:12 GMT
>> From: bugzilla-daemon@bugzilla.kernel.org
>> To: florian@mickler.org
>> Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
>> broken.
>>
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=39132
>
> So, problem points again to
> "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> David C. Hill or Florian can provide some information, eg. is
> tproxy used, what NAT rules are used, any rules in OUTPUT
> hooks (NAT/mangle) and which packets are dropped.
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1390 / Virus Database: 1518/3810 - Release Date: 08/04/11
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
2011-08-05 4:09 ` Fw: " David Hill
@ 2011-08-05 15:16 ` Julian Anastasov
2011-08-15 15:27 ` Julian Anastasov
1 sibling, 0 replies; 6+ messages in thread
From: Julian Anastasov @ 2011-08-05 15:16 UTC (permalink / raw)
To: David Hill; +Cc: Florian Mickler, netdev, David Miller, bugzilla-daemon
Hello,
On Fri, 5 Aug 2011, David Hill wrote:
> I'm not using TPROXY and I've used a blank firewall with only masquerading
> and reproduced the issue.
> Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the attached
> files to this bug.
>
> Francis Whittle (Comment #18) has the same issue.
I compiled 3.0 kernel, added one -j MASQUERADE and
tried TCP connection - it works. I'm not sure ip_route_me_harder
is called for masqueraded traffic, usually it is called
from LOCAL_OUT handlers or to send TCP RST (-j REJECT) via
LOCAL_OUT, not for forwarded traffic.
Can you show lines of tcpdump output with addresses and
ports, so that I can understand what kind of traffic is
dropped, is it initial forwarded packet or its response,
is it problem with some ICMP packets, I assume there is
no problem with locally generated traffic.
Can you show output from:
# grep . /proc/sys/net/ipv4/conf/*/rp_filter
# grep . /proc/sys/net/ipv4/conf/*/send_redirects
If it works with -rc5 it should not be rp_filter,
for NAT, problem can be with ICMP redirects or something else.
Can you tell us if the internal and external devices are
same or may be many.
Regards
--
Julian Anastasov <ja@ssi.bg>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken.
2011-08-05 4:09 ` Fw: " David Hill
2011-08-05 15:16 ` Julian Anastasov
@ 2011-08-15 15:27 ` Julian Anastasov
1 sibling, 0 replies; 6+ messages in thread
From: Julian Anastasov @ 2011-08-15 15:27 UTC (permalink / raw)
To: David Hill; +Cc: Florian Mickler, netdev, David Miller, bugzilla-daemon
Hello,
On Fri, 5 Aug 2011, David Hill wrote:
> Hello Julian,
>
> I'm not using TPROXY and I've used a blank firewall with only masquerading
> and reproduced the issue.
> Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the attached
> files to this bug.
>
> Francis Whittle (Comment #18) has the same issue.
>
> > Hello,
> >
> > On Thu, 4 Aug 2011, Florian Mickler wrote:
> >
> > > Can someone take a look at this regression?
> > >
> > > Begin forwarded message:
> > >
> > > Date: Thu, 28 Jul 2011 04:51:12 GMT
> > > From: bugzilla-daemon@bugzilla.kernel.org
> > > To: florian@mickler.org
> > > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be
> > > broken.
> > >
> > >
> > > https://bugzilla.kernel.org/show_bug.cgi?id=39132
> >
> > So, problem points again to
> > "Fix ip_route_me_harder triggering ip_rt_bug" ? May be
> > David C. Hill or Florian can provide some information, eg. is
> > tproxy used, what NAT rules are used, any rules in OUTPUT
> > hooks (NAT/mangle) and which packets are dropped.
May be it is a sequence of two problems. I now
checked the tcpdump log from Francis Whittle. The
"seq 352:1792" packet at 18:44:29.235154 that is not
SNAT-ed is long, can it be some PMTU event that triggers
ICMP response to the internal host? Because I see changes
in MSS. May be rc5 triggers ICMP FRAG NEEDED while rc6
does not. It can happen because:
1. ICMP uses non-local iph->saddr when XFRM is compiled,
reverse lookup fails with ENOENT but fl4->saddr is
already damaged with the original daddr (non-local).
Fix is here: http://marc.info/?t=131118984300003&r=1&w=2
2. The patched ip_route_me_harder between 3.0-rc5 and
3.0-rc6 expects that sockets always provide local address.
This is wrong for some cases such as TCP (uses different
SOCK_RAW socket for some packets and can cause problem
for tproxy), RAW (can use spoofed sources) and now the
ICMP code that incorrectly provides non-local address.
Fix is here: http://marc.info/?t=131274411600001&r=1&w=2
I hope (any of) these two fixes should solve the
masquerading problems. If that is not true, tcpdump from rc5
would be helpful for comparison.
Regards
--
Julian Anastasov <ja@ssi.bg>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-08-15 15:22 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-04 17:31 Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken Florian Mickler
2011-08-04 18:38 ` Julian Anastasov
2011-08-04 19:12 ` Florian Mickler
2011-08-05 4:09 ` Fw: " David Hill
2011-08-05 15:16 ` Julian Anastasov
2011-08-15 15:27 ` Julian Anastasov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.