netfilter buglog - Apr 2006 - [Bug 471] New: UDP stream DNAT problem

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=471

           Summary: UDP stream DNAT problem
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge@netfilter.org
        ReportedBy: dmitry@trifle.net


Description:
~~~~~~~~~~~~

I've noticed DNAT stopped to work after reloading iptables modules or
machine
reboot.

[NetFlow_source]--->--->---[eth0, NAT_box,
eth1]--->--->---[NetFlow_collector]

We have a netflow collector behind NAT. NetFlow stream is being generated by
cisco and should be delivered to the 
collector. The problem is being contained in conntrack. Conntrack caches udp
stream before DNAT rule is being added. After adding DNAT rule traffic does not
pass DNAT rule, rule counters are zero. Flushing conntrack entries after DNAT
setup solves the problem.

Detailed network setup:
~~~~~~~~~~~~~~~~~~~~~~~

NAT_box: Tested on Debian or Gentoo, kernels 2.6.14 or 2.6.15 or 2.6.16.3.
Kernels are gentoo-patched, debian-patched or 
vanilla.
eth0: 192.168.1.72/24
eth1: 10.0.1.1/24

netflow_source: 192.168.1.69/24
netflow_collector: 10.0.1.130/24

example tcpdump stream:
14:27:15.064935 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.161056 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.273498 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.370031 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.471035 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.571517 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.667976 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.771630 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.872698 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:15.974761 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64
14:27:16.073875 IP 192.168.1.69.11111 > 192.168.1.72.56789: UDP, length: 64

Note there are both src and dst ports are not being changed within time.

How to reproduce the bug:
~~~~~~~~~~~~~~~~~~~~~~~~~

1) reproduce network setup.
2) use hping to emulate netflow stream:
# hping -d 64 -2 -s 11111 -k -p 56789 -i u10000 192.168.1.72
3) start tcpdump on NAT_box and ensure you're receiving traffic
4) ensure no iptables/conntrack/nat relevant modules loaded
5) modprobe ip_conntrack
6) ensure conntrack captured this stream:
# grep 192.168.1.69 /proc/net/ip_conntrack
udp      17 29 src=192.168.1.69 dst=192.168.1.72 sport=11111 dport=56789
packets=115 bytes=10580 [UNREPLIED] 
src=192.168.1.72 dst=192.168.1.69 sport=56789 dport=11111 packets=0 bytes=0
mark=0 use=1
7) NOT stopping hping setup DNAT rule:
# iptables -t nat -A  PREROUTING -p udp -d 192.168.1.72 --dport 56789 -j DNAT
--to 10.0.1.130
8) run tcpdump on eth1 and see no DNATed packets
9) run 'conntrack -F' or 'ifconfig eth0 down; sleep 60s; ifconfig
eth0 up' or
stop hping for a minute. The main idea is 
to make this flow expired in conntrack. After this traffic is being DNATed
successfully.


I'm not sure this is NAT related problem, probably it is more conntrack
related.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.