In kernel 2.6 and newer 2.4's using iptables/netfilter masquerading will not work in some cases (some reportet it works, other have problems like me). You will see a log entry like this: MASQUERADE: Route sent us somewhere else. See also https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144 . There is also a patch included which worked for me (and obviously for other guys to), so we should think about to apply it to (some) gentoo kernels. This is the patch for kernel 2.4, tested on 2.4.23-aa1 on my side (not tested for 2.6 'cause of some other problems with 2.6 on my side): --- linux-masqorig/net/ipv4/netfilter/ipt_MASQUERADE.c Fri Nov 28 19:26:21 2003 +++ linux/net/ipv4/netfilter/ipt_MASQUERADE.c Thu Dec 11 15:14:04 2003 @@ -87,7 +87,7 @@ key.dst = (*pskb)->nh.iph->daddr; key.src = 0; /* Unknown: that's what we're trying to establish */ key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN; - key.oif = 0; + key.oif = out->ifindex; #ifdef CONFIG_IP_ROUTE_FWMARK key.fwmark = (*pskb)->nfmark; #endif
Which kernels and what kernel versions does this problem apply to? Anything with netfilter MASQUERADE? Or only specific versions? Thanks.
Well, i'm not sure which kernels are all affected, but i can say that all which i tested are affected: aa-sources-2.4.23-r1 and gentoo-dev-sources-2.6.0. So i I has most likely todo something with iproute, every problem reported have seen is depending on it. Well, it also seems that the problem started in 2.4.22, at least i've found reports and a patch for this version also. Before using the kernels above i've run 2.4.19 without any problem. You might also find some other people reporting it will stop after upgrading the kernel (f.i. http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html). So i guess any kernel above 2.4.21 (including 2.6.0) using advanced routing will be affected.
We can't do anything about aa-sources as that is upstream but we should be able to add this in to gentoo-dev-sources. If you find this problem on any more kernels, please tell us.
this has had a great deal of work surrounding it in 2.6, please test if possible and lot a new bug if the situation still exists. many thanks for your input
Still - or again - valid for sys-kernel/gentoo-sources-2.4.28-r8 !
is this now working in newer sources?
What do you mean by _newer_ sources? AFAIK sys-kernel/gentoo-sources-2.4.28-r8 is the newest for 2.4 !? HTH, Jan
Sorry, just picking up on this bug now. Do you still experience similar problems with 2.6.30? (vanilla)
2.6.30? Did I miss a year or two :-). No, AFAIR 2.6.x is clean, it's just in 2.4.2x (and above). I've no experience with 2.4.30 (if it that what you mean, Sorry).
sorry, yes I do mean 2.4.30. Can you please test vanilla-2.4.30 and see if the problem occurs. if not, please try a 2.4.28 vanilla so that we can isolate it to gentoo-sources-2.4 or the vanilla tree. Once thats been verified, I can look into the problem you experience. I assume you dont get any kind of output to dmesg.
closing
