bugzilla-daemon@bugzilla.netfilter.org
2006-May-11 16:00 UTC
[Bug 473] New: 2.6.16.x translates addresses of RELATED packets incorrectly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=473
Summary: 2.6.16.x translates addresses of RELATED packets
incorrectly
Product: netfilter/iptables
Version: linux-2.6.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge@netfilter.org
ReportedBy: tomasz.lemiech@matrix.pl
Consider the following simple scenario (all subnets are /24):
host1 <------> router/firewall <------> host2
10.0.0.1 10.0.0.2/192.168.91.222 192.168.91.202
Both host1 and host2 have default routes via router box. Let's do some pure
routing (ie. no netfilter rules):
host1:~# tcptraceroute 192.168.91.202 223
Tracing the path to 192.168.91.202 on TCP port 223, 30 hops max
1 10.0.0.2 0.404 ms 0.166 ms 0.141 ms
2 192.168.91.202 [closed] 0.436 ms 0.376 ms 0.322 ms
Now let's add some NAT on router/fw:
root@router:~# iptables -t nat -A PREROUTING -p tcp -d 192.168.91.202 --dport
223 -j DNAT --to-destination 192.168.91.202:224
The traceroute output is quite different now:
host1:~# tcptraceroute 192.168.91.202 223
Selected device eth1, address 10.0.0.1, port 51146 for outgoing packets
Tracing the path to 192.168.91.202 on TCP port 223, 30 hops max
1 192.168.91.202 0.416 ms 0.161 ms 0.140 ms
2 192.168.91.202 [closed] 0.423 ms 0.340 ms 0.331 ms
Indeed, ICMP packets generated by router got their source address translated to
the address of host2 - tcpdumping on host1 gives:
14:21:40.188036 IP (tos 0x0, ttl 1, id 11043, offset 0, flags [none], length:
40) 10.0.0.1.47825 > 192.168.91.202.223: S [tcp sum ok]
1355768057:1355768057(0)
win 0
14:21:40.188258 IP (tos 0xc0, ttl 64, id 28403, offset 0, flags [none], length:
68) 192.168.91.202 > 10.0.0.1: icmp 48: time exceeded in-transit
14:21:40.189829 IP (tos 0x0, ttl 2, id 60378, offset 0, flags [none], length:
40) 10.0.0.1.47825 > 192.168.91.202.223: S [tcp sum ok]
1355768057:1355768057(0)
win 0
14:21:40.190233 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], length: 40)
192.168.91.202.223 > 10.0.0.1.47825: R [tcp sum ok] 0:0(0) ack 1355768058 win
0
This is fully reproducible on vanilla 2.6.16.14. I also checked 2.6.15.4 and
2.6.14.3 - they work as expected (ie. tcptraceroute output is the same in both
cases).
Kernel config files are available at http://szpajder.w.staszic.waw.pl/netfilter/
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Maybe Matching Threads
Wisdom of the Ancients
