Hello, On Fri, 22 Mar 2002, Thomas Vander Stichele wrote: > > They are independent from the routing stuff. > > Ok, just out of curiosity, should I reread the docs to find out what they :) > do help for ? It was not really clear to me on the first couple of reads. > OK, I'll read them again. But basically you're saying it's NOT because > the X port forwarding opens up a second connection ? Am I wrong in my > assumption about how ssh X port forwarding works, or is this not an issue > here ? No, there are issues where packets from one connection can use different paths and that causes problems on NAT. > > May be, to summarize, the rule is: "the plain kernel > > _only seems_ to work correctly for setups with NAT and multipath > > routes". > > So you're saying it looks like it works right, but it doesn't ? Hm, ok. > So are the times when it doesn't work totally random, or is there some > logic in it ? Nothing is random :) The problem comes when the cached route entry expires (/proc/sys/net/ipv4/route/gc_timeout) or the cache is flushed as result of a user command such as adding/deleting IP address or flushing the routes explicitly with "ip route cache flush". The result is clear: the routing cache forgets the path and the NAT code does not care. > > You should apply the patches if you expect the router > > correctly to NAT the packets when using multipath route. I hope > > the ssh problem will disappear because there the multipath scheduler > > selects new route only for the first packet in each connection, > > the established connections are considered bound to the masquerade > > address for which usually we don't have multipath route. > > Meanwhile, I recompiled my kernel with the patches and at first glance I > get the same behaviour. I will look into it some more tomorrow when I'm > back at work. What I wanted to ask re: masquerading is, if I add an > iptables rule to do masquerading without specifying a device, is that ok ? > or should I have one for each device specifically ? If you use SNAT target then you must have one for each device. The MASQUERADE target inherits the masquerade address from the resolved route so specifying the output device is optional. > The nano doc says that for fixed IP addresses you need an SNAT rule, while > for PPPoE devices you need MASQUERADE. Which should I be using for a DHCP > device ? Not a must. The only differences between MASQUERADE and SNAT are: - SNAT specifies the masquerade address, MASQUERADE uses the preferred src ip from the route - For MASQUERADE all masquerade connections are removed on device down event (sometimes useful, sometimes not) So, nothing can stop you to use MASQUERADE for static IPs or SNAT for dynamic IPs, it depends when you create the NAT rules. > > > from browsing through the archive that, for this basic functionality, it's > > > not necessary. I will of course apply these patches later on to have > > > gateway failure detection, but my question is if applying these patches > > > now or not will have any effect on my current setup. > > > > I hope there will be effect > > On first inspection, no. Is there some way I can debug incoming packets ? > What else can I give as feedback ? You have to be able to analyze with tcpdump what is going on. > Thomas Regards -- Julian Anastasov <ja@ssi.bg>
