bugzilla-daemon at netfilter.org
2018-Feb-15 13:52 UTC
[Bug 1227] New: Current conntrack state isn't considered when evaluating multiple SNAT rules
https://bugzilla.netfilter.org/show_bug.cgi?id=1227
Bug ID: 1227
Summary: Current conntrack state isn't considered when
evaluating multiple SNAT rules
Product: netfilter/iptables
Version: unspecified
Hardware: All
OS: other
Status: NEW
Severity: enhancement
Priority: P5
Component: NAT
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: richard at helix.net.nz
If multiple SNAT rules exist with specific sport ranges, only the first
matching entry is evaluated even when the sport range is exhausted.
Example:
root at LEDE:~# iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 127 packets, 8757 bytes)
pkts bytes target prot opt in out source destination
3618 215K postrouting_rule all -- * * 0.0.0.0/0
0.0.0.0/0 /* !fw3: user chain for postrouting */
9 616 SNAT icmp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 0 */ to:2.127.254.0:1088-1151
2661 139K SNAT tcp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 1 */ to:2.127.254.0:1088-1151
821 66973 SNAT udp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 2 */ to:2.127.254.0:1088-1151
0 0 SNAT icmp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 3 */ to:2.127.254.0:2112-2175
0 0 SNAT tcp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 4 */ to:2.127.254.0:2112-2175
0 0 SNAT udp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 5 */ to:2.127.254.0:2112-2175
0 0 SNAT icmp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 6 */ to:2.127.254.0:3136-3199
0 0 SNAT tcp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 7 */ to:2.127.254.0:3136-3199
0 0 SNAT udp -- * map-mapt0 0.0.0.0/0
0.0.0.0/0 /* !fw3: ubus:mapt0[map] nat 8 */ to:2.127.254.0:3136-3199
For some additional context, when implementing RFC7597 or RFC7599, the
netfilter device may only have permission to use a subset of an IPv4
address'
65535 ports.
The ports that this particular device is allowed to use, may also be carved up
in to multiple non-contiguous blocks, as per the above example.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180215/26c69fd8/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-18 12:44 UTC
[Bug 1227] Current conntrack state isn't considered when evaluating multiple SNAT rules
https://bugzilla.netfilter.org/show_bug.cgi?id=1227 --- Comment #1 from richard at helix.net.nz --- Apparently this functionality was removed in 2.6.11-rc1: "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore." -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180218/6d245aaf/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jul-01 17:00 UTC
[Bug 1227] Current conntrack state isn't considered when evaluating multiple SNAT rules
https://bugzilla.netfilter.org/show_bug.cgi?id=1227
richard at helix.net.nz changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |normal
Priority|P5 |P4
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180701/de393860/attachment.html>