Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
On Sun, Aug 21, 2011 at 06:42:13PM -0500, Troy Davis wrote: -A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p udp --dport 53,123 -j MASQUERADE -A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p tcp --dport 22,80,119,443 -j MASQUERADE This config allows packets with private addresses to escape to eth1. Fix it. Bastian -- She won' go Warp 7, Cap'n! The batteries are dead! -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110822122009.gb29...@wavehammer.waldi.eu.org
Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
-A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p udp --dport 53,123 -j MASQUERADE -A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p tcp --dport 22,80,119,443 -j MASQUERADE This config allows packets with private addresses to escape to eth1. Fix it. Granted. However, please note the rule immediately before the two you quoted and the source address of the packets in the tcpdump output. I did not do more fact-gathering because I had to get my immediate problem solved right away. Other hosts on the network had the same problem described in the upstream thread. Rebooting the 3.0 kernel solved the problem temporarily, and reverting to 2.6.39 stopped it completely. Someone else in the upstream thread with the same problem has since reported that it's fixed with the mentioned patches. I'm new to this--am I correct in assuming that that means the fix in the kernel that ships with Debian will come from upstream eventually? -- Troy -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/capwawvidgbz18qnrypkzbwe8wxbuessxtfrxxzhspj17gcg...@mail.gmail.com
Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
David, I think we need this in 3.0-stable: commit 797fd3913abf2f7036003ab8d3d019cbea41affd Author: Julian Anastasov j...@ssi.bg Date: Sun Aug 7 09:11:00 2011 + netfilter: TCP and raw fix for ip_route_me_harder (Discussed in https://bugzilla.kernel.org/show_bug.cgi?id=39132 and http://lists.debian.org/debian-kernel/2011/08/msg00692.html.) Ben. signature.asc Description: This is a digitally signed message part
Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
From: Ben Hutchings b...@decadent.org.uk Date: Mon, 22 Aug 2011 16:08:00 +0100 David, I think we need this in 3.0-stable: The change is already in -stable as it went into 3.0-final. If anything this might suggest that the fix in question is the cause of this bug, since the commit went in right after 3.0-rc4 Try git describe ed6e4ef836d425bc35e33bf20fcec95e68203afa -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110822.132724.1739248018859692265.da...@davemloft.net
Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
On Mon, Aug 22, 2011 at 01:27:24PM -0700, David Miller wrote: From: Ben Hutchings b...@decadent.org.uk Date: Mon, 22 Aug 2011 16:08:00 +0100 David, I think we need this in 3.0-stable: The change is already in -stable as it went into 3.0-final. If anything this might suggest that the fix in question is the cause of this bug, since the commit went in right after 3.0-rc4 Try git describe ed6e4ef836d425bc35e33bf20fcec95e68203afa I get all that, but I am talking about the later commit 797fd3913abf2f7036003ab8d3d019cbea41affd. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110822214413.gd29...@decadent.org.uk
Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
From: Ben Hutchings b...@decadent.org.uk Date: Mon, 22 Aug 2011 22:44:14 +0100 On Mon, Aug 22, 2011 at 01:27:24PM -0700, David Miller wrote: From: Ben Hutchings b...@decadent.org.uk Date: Mon, 22 Aug 2011 16:08:00 +0100 David, I think we need this in 3.0-stable: The change is already in -stable as it went into 3.0-final. If anything this might suggest that the fix in question is the cause of this bug, since the commit went in right after 3.0-rc4 Try git describe ed6e4ef836d425bc35e33bf20fcec95e68203afa I get all that, but I am talking about the later commit 797fd3913abf2f7036003ab8d3d019cbea41affd. Aha, now I see. I've queued that one up, thanks. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110822.144719.1165059828122994387.da...@davemloft.net
Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
There is a bug in NAT masquerading that is recognized upstream: https://bugzilla.kernel.org/show_bug.cgi?id=39132 I am able to repeat the above problem in the 3.0 kernel included in Debian testing (linux-image-3.0.0-1-686-pae, 3.0.0-1). I have reverted to linux-image-2.6.39-2-686-pae (2.6.39-3) for the time being. I am certain that the problem started after rebooting into the 3.0 kernel for the first time a few days ago (previous uptime was 150+ days). The last message in the thread above, posted just a week ago, suggests two possible patches to fix. Here's a demonstration of the problem. This doesn't happen immediately upon boot; it takes some time before the behavior below manifests. tiferet:~# tcpdump -i eth1 -s0 -A net 192.168.0.0/24 and port not 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:08:27.459237 IP 192.168.0.64.52142 vw-in-f99.1e100.net.www: Flags [F.], seq 1655428276, ack 2135287895, win 64350, length 0 E..(@.~z...@J}qc...PbE.WP..^ 16:08:37.057666 IP 192.168.0.64.52142 vw-in-f99.1e100.net.www: Flags [R.], seq 1, ack 1, win 0, length 0 E..(@.~S...@J}qc...PbE.WP.. The above is me using a desktop on the LAN to try to hit Google. It sure looks to me like packets with private addresses were being sent out the public-facing interface. tiferet:~# /sbin/ifconfig | grep -a1 ^e eth0 Link encap:Ethernet HWaddr [omitted] inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 -- eth1 Link encap:Ethernet HWaddr [omitted] inet addr:75.66.[xx.xx] Bcast:255.255.255.255 Mask:255.255.255.0 My iptables rules that control masquerading haven't changed in many months. -A POSTROUTING -s 192.168.0.32/27 -o eth1 -j MASQUERADE -A POSTROUTING -s 192.168.0.64 -o eth1 -j MASQUERADE -A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p udp --dport 53,123 -j MASQUERADE -A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p tcp --dport 22,80,119,443 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p icmp -m icmp --icmp-type 8 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j LOG -- Troy -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAPwAwVhrgdvZO-d6_=x5ucD+nOdBtGa0XNAM=wmgn3lebx_...@mail.gmail.com