This was already briefly discussed on the netfilter mailinglist, but did not spark much response there. However I think this issue is a pretty obvious regression over old kernel versions and might hit quite a few people once the newer kernels get deployed into large NAT setups. Back in the days of 2.6.18 there was the SAME target which allowed, with the option '--nodst' to SNAT internal hosts to the same address of a whole SNAT range regardless of the destination address. In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from the kernel sources due to being obsolete, since the same functionality was now in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch to mimic the behaviour of SAME with --nodst in nf_nat by dropping the destination IP from the jhash. The patch was dropped shortly after because it apparently showed some uneven distribution. The whole thread can be read at http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670 . This thread went dead, I tried to revive it but did not get an answer. We're getting hit by this regression because we are currently NATing some thousand IP addresses (student dorms) to an external /28. It works fine with our old 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with connections from the same internal address to different destinations getting NATed to different addresses in the pool. Which breaks, for example, ICQ quite badly.
(switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). "massive issues"! On Fri, 27 Mar 2009 16:48:06 GMT bugzilla-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=12954 > > Summary: SAMEIP --nodst functionality gone missing > Product: Networking > Version: 2.5 > Kernel Version: 2.6.25+ > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Netfilter/Iptables > AssignedTo: networking_netfilter-iptables@kernel-bugs.osdl.org > ReportedBy: berni@birkenwald.de > Regression: Yes > > > This was already briefly discussed on the netfilter mailinglist, but did not > spark much response there. However I think this issue is a pretty obvious > regression over old kernel versions and might hit quite a few people once the > newer kernels get deployed into large NAT setups. > > Back in the days of 2.6.18 there was the SAME target which allowed, with the > option '--nodst' to SNAT internal hosts to the same address of a whole SNAT > range regardless of the destination address. > > In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from > the kernel sources due to being obsolete, since the same functionality was > now > in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch > to > mimic the behaviour of SAME with --nodst in nf_nat by dropping the > destination > IP from the jhash. The patch was dropped shortly after because it apparently > showed some uneven distribution. > > The whole thread can be read at > > http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670 > . > > This thread went dead, I tried to revive it but did not get an answer. We're > getting hit by this regression because we are currently NATing some thousand > IP > addresses (student dorms) to an external /28. It works fine with our old > 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with > connections from the same internal address to different destinations getting > NATed to different addresses in the pool. Which breaks, for example, ICQ > quite > badly. >
Reply-To: gandalf@mjufs.se On Tue, 7 Apr 2009, Andrew Morton wrote: >> Back in the days of 2.6.18 there was the SAME target which allowed, with the >> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT >> range regardless of the destination address. >> >> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from >> the kernel sources due to being obsolete, since the same functionality was >> now >> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch >> to >> mimic the behaviour of SAME with --nodst in nf_nat by dropping the >> destination >> IP from the jhash. The patch was dropped shortly after because it apparently >> showed some uneven distribution. >> >> The whole thread can be read at >> >> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670 >> . >> >> This thread went dead, I tried to revive it but did not get an answer. We're >> getting hit by this regression because we are currently NATing some thousand >> IP >> addresses (student dorms) to an external /28. It works fine with our old >> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with >> connections from the same internal address to different destinations getting >> NATed to different addresses in the pool. Which breaks, for example, ICQ >> quite >> badly. Problems like these were the reason why I wrote the SAME target in the first place. I NAT'ed a few hundred students behind a small range of ipaddresses and with normal SNAT they had extreme problems with ICQ and online banking sites which require you to have the same source ip even if you move between servers (diffrent destinations) etc. After I wrote SAME I didn't get a single complaint. One bonus feature that many students really liked was that they always had the same external ipaddress as long as they had the same internal ipaddress and the external range of ipaddresses remained the same. This feature isn't as important as having the same source ip for all current sessions when using online banking services etc. I didn't think anyone was still using SAME... guess I was wrong. The uneven distribution of the patch in question can't be worse than the SAME distributions which, iirc, just does something like: first_ip_in_snat_range + (client_ip % num_ips_in_snat_range) And given many clients behind the SNAT the distribution should be quite even. Patrick, how about making the ipaddress selection based on only client ipaddress behaviour selectable with an SNAT parameter if the problem with the patch is that the distribution can be uneven for a small number of clients? /Martin
bugzilla-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=12954 > The uneven distribution of the patch in question can't be worse than the > SAME distributions which, iirc, just does something like: > > first_ip_in_snat_range + (client_ip % num_ips_in_snat_range) > > And given many clients behind the SNAT the distribution should be quite > even. > > > Patrick, how about making the ipaddress selection based on only client > ipaddress behaviour selectable with an SNAT parameter if the problem with > the patch is that the distribution can be uneven for a small number of > clients? Actually I think the results back then were incorrect or it was just bad luck or something. Ideally we would just enable this unconditionally I think. I'll do some testing of the distribution myself during the next days and see how it goes.
[Resend to mailing list, I didn't notice this had left bugzilla] Martin Josefsson wrote: > Patrick, how about making the ipaddress selection based on only client > ipaddress behaviour selectable with an SNAT parameter if the problem > with the patch is that the distribution can be uneven for a small number > of clients? Actually I think the results back then were incorrect or it was just bad luck or something. Ideally we would just enable this unconditionally I think. I'll do some testing of the distribution myself during the next days and see how it goes.
Patrick McHardy wrote: > [Resend to mailing list, I didn't notice this had left bugzilla] > > Martin Josefsson wrote: >> Patrick, how about making the ipaddress selection based on only client >> ipaddress behaviour selectable with an SNAT parameter if the problem >> with the patch is that the distribution can be uneven for a small >> number of clients? > > Actually I think the results back then were incorrect or it was > just bad luck or something. Ideally we would just enable this > unconditionally I think. I'll do some testing of the distribution > myself during the next days and see how it goes. The distribution did suffer noticably in some cases, so offering this optionally seems better. How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set on a NAT range, we ignore the destination address in the selection.
Reply-To: jengelh@medozas.de On Wednesday 2009-04-15 13:53, Patrick McHardy wrote: > Patrick McHardy wrote: >> [Resend to mailing list, I didn't notice this had left bugzilla] >> >> Martin Josefsson wrote: >>> Patrick, how about making the ipaddress selection based on only client >>> ipaddress behaviour selectable with an SNAT parameter if the problem with >>> the >>> patch is that the distribution can be uneven for a small number of clients? >> >> Actually I think the results back then were incorrect or it was >> just bad luck or something. Ideally we would just enable this >> unconditionally I think. I'll do some testing of the distribution >> myself during the next days and see how it goes. > > The distribution did suffer noticably in some cases, so offering > this optionally seems better. > > How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set > on a NAT range, we ignore the destination address in the selection. But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead feature right now.)
Jan Engelhardt wrote: > On Wednesday 2009-04-15 13:53, Patrick McHardy wrote: > >> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set >> on a NAT range, we ignore the destination address in the selection. >> > > But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead > feature right now.) > In userspace of course :)
Reply-To: jengelh@medozas.de On Wednesday 2009-04-15 14:13, Patrick McHardy wrote: >Jan Engelhardt wrote: >> On Wednesday 2009-04-15 13:53, Patrick McHardy wrote: >> >>> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set >>> on a NAT range, we ignore the destination address in the selection. >> >> But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead >> feature right now.) > >In userspace of course :) Ah I hear the crisp sound of an upcoming iptables 1.4.4.
Jan Engelhardt wrote: > On Wednesday 2009-04-15 14:13, Patrick McHardy wrote: >> Jan Engelhardt wrote: >>> On Wednesday 2009-04-15 13:53, Patrick McHardy wrote: >>> >>>> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set >>>> on a NAT range, we ignore the destination address in the selection. >>> But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead >>> feature right now.) >> In userspace of course :) > > Ah I hear the crisp sound of an upcoming iptables 1.4.4. In a while :) This is the corresponding userspace patch:
Patrick McHardy wrote: > This is the corresponding userspace patch: > I've just commited the patch to the iptables git tree. The kernel patch is on its way upstream.