[pve-devel] pvefw: masquerade problems and conntrack zones
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 10 11:36:33 CET 2014
> > post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j
> > CT --zone
> > 1 # why do we need this?
> > post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j
> > CT -- zone 1 # why do we need this?
> > post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j
> > MASQUERADE >> apply on default zone 0
> >
> >
> > so, that should mean that apply -j MASQUERADE don't apply on vmbr1
> > with zone 1
>
> Sure, but why is that required? Are there negative side effects? Any ideas? I
> have not found any documentation.
My guess is that POSTROUTING chain gets called to early (because bridge filter is enabled). Using:
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
##disabled# post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1
##disabled# post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j LOG --log-prefix "MASQTEST: "
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
post-down iptables -t nat -F POSTROUTING
post-down iptables -t raw -F PREROUTING
A simple ping results in this log:
Mar 10 11:26:17 lola kernel: [259296.464749] MASQTEST: IN= OUT=vmbr1 PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5645 SEQ=1 MARK=0x1
Note: "-o pm0 -j MASQUERADE" does not trigger at all!
If I enable zones I get:
Mar 10 11:25:34 lola kernel: [259254.043987] MASQTEST: IN= OUT=vmbr1 PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 MARK=0x1
Mar 10 11:25:34 lola kernel: [259254.044020] MASQTEST: IN= OUT=pm0 SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1
So it seem that now the POSTROUTING chain gets called twice. The second call has the correct output interface.
I am a bit scared, because the whole thing is not documented. Are there other projects using such setup?
More information about the pve-devel
mailing list