Fwd: tproxy and NAT incompatible?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
We have a unique situation. Our core application software needs to be
IP transparent. For this purpose it uses tproxy. When connecting to
upstream some of our client connections need to be SNATed.

This gives to the following situation:

As the client request arrives a conntrack is created that looks like:
IPa, Pa, IPb, Pb, IPa, Pa, IPb, Pb

As we connect out to the origin a new conntrack entry is created that
looks like:
IPa, Pa', IPb, Pb, NAT-IPa, NAT-Pa, IPb, Pb

With some probability an independent incoming request may look like:
IPa, Pa', IPb, Pb

We see that as SYN with this request arrives, the old NAT conntrack
entry is removed blackholing the upstream connection.

Can tproxy be safely used with SNAT? Is there a way around this issue?


-Umesh





-- 
Homepage: http://blogs.techievarta.com/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux