On Sun, Aug 07, 2005 at 06:44:15PM +0200, Harald Welte wrote:
> On Sun, Aug 07, 2005 at 05:18:06PM +0200, Harald Welte wrote:
> > Hi Dave!
> >
> > The following trivial patch was confirmed to solve the problem. Patrick
> > also has no objections, so please apply this to mainline.
>
> Please hold it back for another minute. I'm still puzzled by this
> problem. I can neither reproduce it nor understand how the code could
> end up in a state where it would try to do NAT on untracked connections.
>
> Vladimir: Can you please send me the output of "iptables -t raw -L -vn"
Well, that's pretty complex. See below.
>
> are you sure the locally-generated ICMP errors in OUTPUT are matched by
> your NOTRACK rules?
Yes, I am sure, here is a simple test:
/sbin/iptables -t raw -I PREROUTING -s 172.16.16.10 -d 172.16.0.12 -j NOTRACK
/sbin/iptables -t raw -I PREROUTING -d 172.16.16.10 -s 172.16.0.12 -j NOTRACK
/sbin/iptables -t raw -I OUTPUT -s 172.16.16.1 -d 172.16.16.10 -j NOTRACK
And after a tracepath test we got:
Chain PREROUTING (policy ACCEPT 3225878 packets, 3033381627 bytes)
pkts bytes target prot opt in out source
destination
1 576 NOTRACK all -- * * 172.16.0.12
172.16.16.10
3 4480 NOTRACK all -- * * 172.16.16.10
172.16.0.12
Chain OUTPUT (policy ACCEPT 29774 packets, 9700003 bytes)
pkts bytes target prot opt in out source
destination
2 1152 NOTRACK all -- * * 172.16.16.1
172.16.16.10
All is working as expected.
Even when I delete rule from OUTPUT chain, it continues to work:
Chain PREROUTING (policy ACCEPT 6206384 packets, 5804528324 bytes)
pkts bytes target prot opt in out source
destination
2 1152 NOTRACK all -- * * 172.16.0.12
172.16.16.10
6 8960 NOTRACK all -- * * 172.16.16.10
172.16.0.12
Real setup is more complex.
172.16.0.0/16 and 10.0.0.0/8 are local prefixes.
172.16.0.13 is some special address, an exception from NOTRACK rules,
to allow it to serve for NAT from some external network.
=== START
Chain PREROUTING (policy ACCEPT 8491590 packets, 7917955822 bytes)
pkts bytes target prot opt in out source
destination
752775 692879468 ppp_masq all -- * * 0.0.0.0/0
0.0.0.0/0
752724 692828020 notrack_localif all -- * * 0.0.0.0/0
0.0.0.0/0
752691 692801984 notrack_src all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 74664 packets, 26857077 bytes)
pkts bytes target prot opt in out source
destination
5908 1903792 notrack_src all -- * * 0.0.0.0/0
0.0.0.0/0
Chain notrack_dst (2 references)
pkts bytes target prot opt in out source
destination
421071 276130730 NOTRACK all -- * * 0.0.0.0/0
172.16.0.0/16
320827 410642431 NOTRACK all -- * * 0.0.0.0/0
10.0.0.0/8
Chain notrack_localif (1 references)
pkts bytes target prot opt in out source
destination
0 0 NOTRACK all -- eth4 * 0.0.0.0/0
0.0.0.0/0
0 0 NOTRACK all -- eth5 * 0.0.0.0/0
0.0.0.0/0
0 0 NOTRACK all -- lh * 0.0.0.0/0
0.0.0.0/0
6 284 NOTRACK all -- eth3 * 0.0.0.0/0
0.0.0.0/0
2147 2540914 NOTRACK all -- vlan0170 * 0.0.0.0/0
0.0.0.0/0
31304 30137873 NOTRACK all -- eth2 * 0.0.0.0/0
0.0.0.0/0
144676 137777944 NOTRACK all -- vlan0172 * 0.0.0.0/0
0.0.0.0/0
266468 363612812 NOTRACK all -- vlan0173 * 0.0.0.0/0
0.0.0.0/0
8803 2774738 NOTRACK all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 NOTRACK all -- vlan0181 * 0.0.0.0/0
0.0.0.0/0
50455 26026196 NOTRACK all -- vlan0175 * 0.0.0.0/0
0.0.0.0/0
232416 122431248 NOTRACK all -- vlan0176 * 0.0.0.0/0
0.0.0.0/0
0 0 NOTRACK all -- fdsnet * 0.0.0.0/0
0.0.0.0/0
0 0 NOTRACK all -- voip * 0.0.0.0/0
0.0.0.0/0
Chain notrack_src (2 references)
pkts bytes target prot opt in out source
destination
509677 564485901 notrack_dst all -- * * 172.16.0.0/16
0.0.0.0/0
232436 122433732 notrack_dst all -- * * 10.0.0.0/8
0.0.0.0/0
Chain ppp_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
172.16.0.13
=== STOP
I just reloaded ruleset, so counters are somewhat low.
~
:wq
With best regards,
Vladimir Savkin.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
