[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Mon Mar 10 15:32:54 CET 2014


also, as MASQUERADE alternative, maybe it could work better with SNAT ? (using ip of output device, instead physdev)


iptables -t nat -A POSTROUTING -s 10.10.10.0/24  -j SNAT -to-source X.X.X.X(replace by ip of the output device)



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 14:56:55 
Objet: Re: [pve-devel] pvefw: masquerade problems and conntrack zones 

just found this, not sure it's related: 

http://www.spinics.net/lists/netfilter-devel/msg13554.html 

"2.6.34 introduced 'conntrack zones' to deal with cases where packets 
from multiple identical networks are handled by conntrack/NAT. Packets 
are looped through veth devices, during which they are NATed to private 
addresses, after which they can continue normally through the stack 
and possibly have NAT rules applied a second time." 

This works well, but is needlessly complicated for cases where only 
a single SNAT/DNAT mapping needs to be applied to these packets. In that 
case, all that needs to be done is to assign each network to a seperate 
zone and perform NAT as usual. However this doesn't work for packets 
destined for the machine performing NAT itself since its corrently not 
possible to configure SNAT mappings for the LOCAL_IN chain. 



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 14:50:50 
Objet: Re: [pve-devel] pvefw: masquerade problems and conntrack zones 

>>Oh, I have a second bridge configured as: 

oh,ok. 

so, it seem that 

>>iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j LOG --log-prefix "MASQTEST: " 

show, that packet with source 10.10.10.0/24 in POSTROUTING, is tested against each output interface (maybe interfaces with ip adress configured)? 

>>Mar 10 11:25:34 lola kernel: [259254.043987] MASQTEST: IN= OUT=vmbr1 PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 >>MARK=0x1 
>>Mar 10 11:25:34 lola kernel: [259254.044020] MASQTEST: IN= OUT=pm0 SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 

then 

>> post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE 

is doing his job, to nat only on pm0 


now, I don't known for the --zone 1 ..... 
(So it doesn't work on 2.6.32 without --zone 1 ?) 




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 12:36:39 
Objet: RE: pvefw: masquerade problems and conntrack zones 

> >>So it seem that now the POSTROUTING chain gets called twice. The second 
> call has the correct output interface. 
> 
> what is pm0 vs pm1peer ? 

Oh, I have a second bridge configured as: 

auto vmbr0 
iface vmbr0 inet manual 
bridge_ports bond0 
bridge_stp off 
bridge_fd 0 

auto pm0 
iface pm0 inet static 
... 
VETH_BRIDGETO vmbr0 


My ifupdown.sh helper script creates a veth interface with: 

ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1 

same for pm1 

> 
> 
> >>I am a bit scared, because the whole thing is not documented. Are there 
> other projects using such setup? 
> afaik, openstack and cloudstack managed only bridged firewall, I don't have 
> see nat implementation.(I'll check that today) 
> 
> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" 
> <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Lundi 10 Mars 2014 11:36:33 
> Objet: RE: pvefw: masquerade problems and conntrack zones 
> 
> > > post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j 
> > > CT --zone 
> > > 1 # why do we need this? 
> > > post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j 
> > > CT -- zone 1 # why do we need this? 
> > > post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j 
> > > MASQUERADE >> apply on default zone 0 
> > > 
> > > 
> > > so, that should mean that apply -j MASQUERADE don't apply on vmbr1 
> > > with zone 1 
> > 
> > Sure, but why is that required? Are there negative side effects? Any 
> > ideas? I have not found any documentation. 
> 
> My guess is that POSTROUTING chain gets called to early (because bridge 
> filter is enabled). Using: 
> 
> auto pm1 
> iface pm1 inet static 
> address 10.10.10.1 
> netmask 255.255.255.0 
> VETH_BRIDGETO vmbr1 
> ##disabled# post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i 
> vmbr1 -j CT --zone 1 ##disabled# post-up iptables -t raw -A PREROUTING -d 
> '10.10.10.0/24' -i vmbr1 -j CT --zone 1 post-up iptables -t nat -A 
> POSTROUTING -s '10.10.10.0/24' -j LOG --log-prefix "MASQTEST: " 
> post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j 
> MASQUERADE post-down iptables -t nat -F POSTROUTING post-down 
> iptables -t raw -F PREROUTING 
> 
> A simple ping results in this log: 
> 
> Mar 10 11:26:17 lola kernel: [259296.464749] MASQTEST: IN= OUT=vmbr1 
> PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5645 
> SEQ=1 MARK=0x1 
> 
> Note: "-o pm0 -j MASQUERADE" does not trigger at all! 
> 
> If I enable zones I get: 
> 
> Mar 10 11:25:34 lola kernel: [259254.043987] MASQTEST: IN= OUT=vmbr1 
> PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 
> SEQ=1 MARK=0x1 Mar 10 11:25:34 lola kernel: [259254.044020] MASQTEST: 
> IN= OUT=pm0 SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 
> TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 
> 
> So it seem that now the POSTROUTING chain gets called twice. The second 
> call has the correct output interface. 
> 
> I am a bit scared, because the whole thing is not documented. Are there 
> other projects using such setup? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list