Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.

To: debian-kernel@lists.debian.org
Subject: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
From: Troy Davis <troydavis@gmail.com>
Date: Sun, 21 Aug 2011 18:42:13 -0500
Message-id: <[🔎] CAPwAwVhrgdvZO-d6_=x5ucD+nOdBtGa0XNAM=wmgn3LEBx_0yQ@mail.gmail.com>

There is a bug in NAT masquerading that is recognized upstream:

https://bugzilla.kernel.org/show_bug.cgi?id=39132

I am able to repeat the above problem in the 3.0 kernel included in
Debian testing (linux-image-3.0.0-1-686-pae, 3.0.0-1).  I have
reverted to linux-image-2.6.39-2-686-pae (2.6.39-3) for the time
being.  I am certain that the problem started after rebooting into the
3.0 kernel for the first time a few days ago (previous uptime was 150+
days).  The last message in the thread above, posted just a week ago,
suggests two possible patches to fix.

Here's a demonstration of the problem.  This doesn't happen
immediately upon boot; it takes some time before the behavior below
manifests.

tiferet:~# tcpdump -i eth1 -s0 -A net 192.168.0.0/24 and port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:27.459237 IP 192.168.0.64.52142 > vw-in-f99.1e100.net.www: Flags
[F.], seq 1655428276, ack 2135287895, win 64350, length 0
E..(@.....~z...@J}qc...Pb....E.WP..^....
16:08:37.057666 IP 192.168.0.64.52142 > vw-in-f99.1e100.net.www: Flags
[R.], seq 1, ack 1, win 0, length 0
E..(@.....~S...@J}qc...Pb....E.WP......

The above is me using a desktop on the LAN to try to hit Google.  It
sure looks to me like packets with private addresses were being sent
out the public-facing interface.

tiferet:~# /sbin/ifconfig | grep -a1 ^e
eth0      Link encap:Ethernet  HWaddr [omitted]
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
--

eth1      Link encap:Ethernet  HWaddr [omitted]
          inet addr:75.66.[xx.xx] Bcast:255.255.255.255  Mask:255.255.255.0

My iptables rules that control masquerading haven't changed in many months.

-A POSTROUTING -s 192.168.0.32/27 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p udp --dport
53,123 -j MASQUERADE
-A POSTROUTING -s 192.168.0.64/26 -o eth1 -m multiport -p tcp --dport
22,80,119,443 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -p icmp -m icmp --icmp-type 8
-j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j LOG

-- 
Troy

Reply to:

Follow-Ups:
- Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
  - From: Bastian Blank <waldi@debian.org>
- Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: Re: xserver-xorg-video-intel: render error upon S3 wakeup
Next by Date: Bug#637284: Can't install wheezy on a 2011 iMac
Previous by thread: Bug#601732: xserver-xorg-video-intel: render error upon S3 wakeup
Next by thread: Re: Upstream bug 39132 - Starting with 3.0.0-rc6, masquerading seems to be broken.
Index(es):
- Date
- Thread