[LARTC] NAT: multiple route lookups; local use of NAT IP

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

Part I
- - - - - -
I am using a stateless (iproute2) NAT installation here as a concrete
example around which to ask my question about cases where route lookups
are required.

I do not understand the entire sequence of route lookups required.
Intuition and observation suggest to me that there have to be two separate
route lookups.  I would like confirmation and/or further explanation, if
possible.

Here's a simple map describing my working configuration.

                      +---------+
         10.17.0.0/16 |   NAT   | 172.17.0.0/16
     -----------------+ router  +--------------------
                 eth2 +---------+ eth3

Here's my current understanding:

  1 packet arrives from 192.168.14.2 on eth2 bound for 10.17.254.1
  2 route exists in local routing table; rewrite packet for 172.17.254.1
  3 ??
  4 rewritten packet is transmitted on eth3 to 172.31.254.1

It seems that there must be a route lookup for 172.17.254.1 at step 3.
How does the kernel know to perform a second lookup?

Under what other situations would there be multiple route lookups for the
same packet?


Part II
- - - - - -
Of less importance to me, but a peculiar side effect of the stateless NAT,
I find that I can never connect to IPs configured for NAT on the box in
question.

These commands were run on the NAT router in the above diagram.

# ping -n 10.17.254.1
connect: Invalid argument
# ping -I 192.168.0.13 -n 10.17.254.1
PING 10.17.254.1 (10.17.254.1) from 192.168.0.13 : 56(84) bytes of data.
ping: sendto: Invalid argument
ping: sendto: Invalid argument

--- 10.17.254.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Is this a side effect of the NAT entry in the local routing table?


Thank you in advance for any answers,

-Martin


 Notes:
 - - - - - - - - - - - - -
 - there are more interface on the box, but no traffic relevant to my
   question traverses any of these interfaces
 - aside from the NAT entry, there are no RPDB entries
 - # ip rule show | grep 10.17
   310:    from 172.17.0.0/16 to 10.10.0.0/16 lookup main map-to 10.17.0.0
 - # ip route show table local | grep '^nat 10.17'
   nat 10.17.0.0/16 via 172.17.0.0  scope host

 routing cache entries
 - - - - - - - - - - - - -
 192.168.14.2 from 172.17.254.1 via 192.168.0.251 dev eth2  src 172.31.254.254
     cache <src-nat>  mtu 1500 rtt 300 iif eth3
 10.17.254.1 from 192.168.14.2 via 172.31.254.1 dev eth3  src 192.168.0.13
     cache <dst-nat>  mtu 1500 rtt 300 iif eth2

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux