From: Andrew Morton <akpm@linux-foundation•org>
To: netdev@vger•kernel.org
Cc: bugme-daemon@bugzilla•kernel.org, berni@birkenwald•de
Subject: Re: [Bugme-new] [Bug 12954] New: SAMEIP --nodst functionality gone missing
Date: Tue, 7 Apr 2009 14:35:09 -0700 [thread overview]
Message-ID: <20090407143509.05ab3b28.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-12954-10286@http.bugzilla.kernel.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
"massive issues"!
On Fri, 27 Mar 2009 16:48:06 GMT
bugzilla-daemon@bugzilla•kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=12954
>
> Summary: SAMEIP --nodst functionality gone missing
> Product: Networking
> Version: 2.5
> Kernel Version: 2.6.25+
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Netfilter/Iptables
> AssignedTo: networking_netfilter-iptables@kernel-bugs•osdl.org
> ReportedBy: berni@birkenwald•de
> Regression: Yes
>
>
> This was already briefly discussed on the netfilter mailinglist, but did not
> spark much response there. However I think this issue is a pretty obvious
> regression over old kernel versions and might hit quite a few people once the
> newer kernels get deployed into large NAT setups.
>
> Back in the days of 2.6.18 there was the SAME target which allowed, with the
> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT
> range regardless of the destination address.
>
> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from
> the kernel sources due to being obsolete, since the same functionality was now
> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch to
> mimic the behaviour of SAME with --nodst in nf_nat by dropping the destination
> IP from the jhash. The patch was dropped shortly after because it apparently
> showed some uneven distribution.
>
> The whole thread can be read at
> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670
> .
>
> This thread went dead, I tried to revive it but did not get an answer. We're
> getting hit by this regression because we are currently NATing some thousand IP
> addresses (student dorms) to an external /28. It works fine with our old
> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with
> connections from the same internal address to different destinations getting
> NATed to different addresses in the pool. Which breaks, for example, ICQ quite
> badly.
>
next parent reply other threads:[~2009-04-07 21:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-12954-10286@http.bugzilla.kernel.org/>
2009-04-07 21:35 ` Andrew Morton [this message]
2009-04-08 8:03 ` [Bugme-new] [Bug 12954] New: SAMEIP --nodst functionality gone missing Martin Josefsson
2009-04-08 15:32 ` Patrick McHardy
2009-04-15 11:53 ` Patrick McHardy
2009-04-15 12:10 ` Jan Engelhardt
2009-04-15 12:13 ` Patrick McHardy
2009-04-15 12:21 ` Jan Engelhardt
2009-04-15 12:35 ` Patrick McHardy
2009-04-17 16:16 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090407143509.05ab3b28.akpm@linux-foundation.org \
--to=akpm@linux-foundation$(echo .)org \
--cc=berni@birkenwald$(echo .)de \
--cc=bugme-daemon@bugzilla$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox