* Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. @ 2011-08-04 17:31 Florian Mickler 2011-08-04 18:38 ` Julian Anastasov 0 siblings, 1 reply; 6+ messages in thread From: Florian Mickler @ 2011-08-04 17:31 UTC (permalink / raw) To: netdev; +Cc: David Miller Can someone take a look at this regression? Begin forwarded message: Date: Thu, 28 Jul 2011 04:51:12 GMT From: bugzilla-daemon@bugzilla.kernel.org To: florian@mickler.org Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. https://bugzilla.kernel.org/show_bug.cgi?id=39132 Francis Whittle <FJ.Whittle@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |FJ.Whittle@gmail.com --- Comment #18 from Francis Whittle <FJ.Whittle@gmail.com> 2011-07-28 04:50:56 --- Similar story here, bug is still present in v3.0 -- Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. 2011-08-04 17:31 Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken Florian Mickler @ 2011-08-04 18:38 ` Julian Anastasov 2011-08-04 19:12 ` Florian Mickler 2011-08-05 4:09 ` Fw: " David Hill 0 siblings, 2 replies; 6+ messages in thread From: Julian Anastasov @ 2011-08-04 18:38 UTC (permalink / raw) To: Florian Mickler; +Cc: hilld, netdev, David Miller Hello, On Thu, 4 Aug 2011, Florian Mickler wrote: > Can someone take a look at this regression? > > Begin forwarded message: > > Date: Thu, 28 Jul 2011 04:51:12 GMT > From: bugzilla-daemon@bugzilla.kernel.org > To: florian@mickler.org > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be > broken. > > > https://bugzilla.kernel.org/show_bug.cgi?id=39132 So, problem points again to "Fix ip_route_me_harder triggering ip_rt_bug" ? May be David C. Hill or Florian can provide some information, eg. is tproxy used, what NAT rules are used, any rules in OUTPUT hooks (NAT/mangle) and which packets are dropped. Regards -- Julian Anastasov <ja@ssi.bg> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. 2011-08-04 18:38 ` Julian Anastasov @ 2011-08-04 19:12 ` Florian Mickler 2011-08-05 4:09 ` Fw: " David Hill 1 sibling, 0 replies; 6+ messages in thread From: Florian Mickler @ 2011-08-04 19:12 UTC (permalink / raw) To: Julian Anastasov; +Cc: hilld, netdev, David Miller, bugzilla-daemon On Thu, 4 Aug 2011 21:38:48 +0300 (EEST) Julian Anastasov <ja@ssi.bg> wrote: > > Hello, > > On Thu, 4 Aug 2011, Florian Mickler wrote: > > > Can someone take a look at this regression? > > > > Begin forwarded message: > > > > Date: Thu, 28 Jul 2011 04:51:12 GMT > > From: bugzilla-daemon@bugzilla.kernel.org > > To: florian@mickler.org > > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be > > broken. > > > > > > https://bugzilla.kernel.org/show_bug.cgi?id=39132 > > So, problem points again to > "Fix ip_route_me_harder triggering ip_rt_bug" ? May be > David C. Hill or Florian can provide some information, eg. is > tproxy used, what NAT rules are used, any rules in OUTPUT > hooks (NAT/mangle) and which packets are dropped. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> That would have to come from David C. Hill, since I'm not expiriencing this bug. Regards, Flo p.s.: I added the bugzilla daemon to the cc in the hope that this mail will land as a comment in there. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. 2011-08-04 18:38 ` Julian Anastasov 2011-08-04 19:12 ` Florian Mickler @ 2011-08-05 4:09 ` David Hill 2011-08-05 15:16 ` Julian Anastasov 2011-08-15 15:27 ` Julian Anastasov 1 sibling, 2 replies; 6+ messages in thread From: David Hill @ 2011-08-05 4:09 UTC (permalink / raw) To: Julian Anastasov, Florian Mickler; +Cc: netdev, David Miller Hello Julian, I'm not using TPROXY and I've used a blank firewall with only masquerading and reproduced the issue. Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the attached files to this bug. Francis Whittle (Comment #18) has the same issue. Thank you , Dave ----- Original Message ----- From: "Julian Anastasov" <ja@ssi.bg> To: "Florian Mickler" <florian@mickler.org> Cc: <hilld@binarystorm.net>; <netdev@vger.kernel.org>; "David Miller" <davem@davemloft.net> Sent: Thursday, August 04, 2011 2:38 PM Subject: Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. > > Hello, > > On Thu, 4 Aug 2011, Florian Mickler wrote: > >> Can someone take a look at this regression? >> >> Begin forwarded message: >> >> Date: Thu, 28 Jul 2011 04:51:12 GMT >> From: bugzilla-daemon@bugzilla.kernel.org >> To: florian@mickler.org >> Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be >> broken. >> >> >> https://bugzilla.kernel.org/show_bug.cgi?id=39132 > > So, problem points again to > "Fix ip_route_me_harder triggering ip_rt_bug" ? May be > David C. Hill or Florian can provide some information, eg. is > tproxy used, what NAT rules are used, any rules in OUTPUT > hooks (NAT/mangle) and which packets are dropped. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > > ----- > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1390 / Virus Database: 1518/3810 - Release Date: 08/04/11 > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. 2011-08-05 4:09 ` Fw: " David Hill @ 2011-08-05 15:16 ` Julian Anastasov 2011-08-15 15:27 ` Julian Anastasov 1 sibling, 0 replies; 6+ messages in thread From: Julian Anastasov @ 2011-08-05 15:16 UTC (permalink / raw) To: David Hill; +Cc: Florian Mickler, netdev, David Miller, bugzilla-daemon Hello, On Fri, 5 Aug 2011, David Hill wrote: > I'm not using TPROXY and I've used a blank firewall with only masquerading > and reproduced the issue. > Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the attached > files to this bug. > > Francis Whittle (Comment #18) has the same issue. I compiled 3.0 kernel, added one -j MASQUERADE and tried TCP connection - it works. I'm not sure ip_route_me_harder is called for masqueraded traffic, usually it is called from LOCAL_OUT handlers or to send TCP RST (-j REJECT) via LOCAL_OUT, not for forwarded traffic. Can you show lines of tcpdump output with addresses and ports, so that I can understand what kind of traffic is dropped, is it initial forwarded packet or its response, is it problem with some ICMP packets, I assume there is no problem with locally generated traffic. Can you show output from: # grep . /proc/sys/net/ipv4/conf/*/rp_filter # grep . /proc/sys/net/ipv4/conf/*/send_redirects If it works with -rc5 it should not be rp_filter, for NAT, problem can be with ICMP redirects or something else. Can you tell us if the internal and external devices are same or may be many. Regards -- Julian Anastasov <ja@ssi.bg> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken. 2011-08-05 4:09 ` Fw: " David Hill 2011-08-05 15:16 ` Julian Anastasov @ 2011-08-15 15:27 ` Julian Anastasov 1 sibling, 0 replies; 6+ messages in thread From: Julian Anastasov @ 2011-08-15 15:27 UTC (permalink / raw) To: David Hill; +Cc: Florian Mickler, netdev, David Miller, bugzilla-daemon Hello, On Fri, 5 Aug 2011, David Hill wrote: > Hello Julian, > > I'm not using TPROXY and I've used a blank firewall with only masquerading > and reproduced the issue. > Nothing is in NAT/mangle nor OUTPUT but the rules mentionned in the attached > files to this bug. > > Francis Whittle (Comment #18) has the same issue. > > > Hello, > > > > On Thu, 4 Aug 2011, Florian Mickler wrote: > > > > > Can someone take a look at this regression? > > > > > > Begin forwarded message: > > > > > > Date: Thu, 28 Jul 2011 04:51:12 GMT > > > From: bugzilla-daemon@bugzilla.kernel.org > > > To: florian@mickler.org > > > Subject: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be > > > broken. > > > > > > > > > https://bugzilla.kernel.org/show_bug.cgi?id=39132 > > > > So, problem points again to > > "Fix ip_route_me_harder triggering ip_rt_bug" ? May be > > David C. Hill or Florian can provide some information, eg. is > > tproxy used, what NAT rules are used, any rules in OUTPUT > > hooks (NAT/mangle) and which packets are dropped. May be it is a sequence of two problems. I now checked the tcpdump log from Francis Whittle. The "seq 352:1792" packet at 18:44:29.235154 that is not SNAT-ed is long, can it be some PMTU event that triggers ICMP response to the internal host? Because I see changes in MSS. May be rc5 triggers ICMP FRAG NEEDED while rc6 does not. It can happen because: 1. ICMP uses non-local iph->saddr when XFRM is compiled, reverse lookup fails with ENOENT but fl4->saddr is already damaged with the original daddr (non-local). Fix is here: http://marc.info/?t=131118984300003&r=1&w=2 2. The patched ip_route_me_harder between 3.0-rc5 and 3.0-rc6 expects that sockets always provide local address. This is wrong for some cases such as TCP (uses different SOCK_RAW socket for some packets and can cause problem for tproxy), RAW (can use spoofed sources) and now the ICMP code that incorrectly provides non-local address. Fix is here: http://marc.info/?t=131274411600001&r=1&w=2 I hope (any of) these two fixes should solve the masquerading problems. If that is not true, tcpdump from rc5 would be helpful for comparison. Regards -- Julian Anastasov <ja@ssi.bg> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-08-15 15:22 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-08-04 17:31 Fw: [Bug 39132] Starting with 3.0.0-rc6, masquerading seems to be broken Florian Mickler 2011-08-04 18:38 ` Julian Anastasov 2011-08-04 19:12 ` Florian Mickler 2011-08-05 4:09 ` Fw: " David Hill 2011-08-05 15:16 ` Julian Anastasov 2011-08-15 15:27 ` Julian Anastasov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.