Hello,
I just figured out that conntrack helpers don't obey the configured NAT
rules when predicting the related streams. This starts to be an issue in
MAP network deployments where each home user only gets a part of the
available port range [1024-65534].
The MAP-T architecture is included for convenience (extract from
draft-mdt-softwire-map-translation-01)
User N
Private IPv4
| Network
|
O--+---------------O
| | MAP-T CE |
| +-----+--------+ |
| NAPT44| MAP-T | `-.
| +-----+ | | -._ ,-------. .------.
| +--------+ | ,-' `-. ,-' `-.
O------------------O / \ O---------O / Public \
/ IPv6 only \ | MAP-T |/ IPv4 \
( Network --+ Border +- Network )
\ (MAP-T Domain)/ | Relay |\ /
O------------------O \ / O---------O \ /
| MAP-T CE | ;". ,-' `-. ,-'
| +-----+--------+ | ," `----+--' ------'
| NAPT44| MAP-T | | ," |
| +-----+ | | IPv6 Server(s)
| | +--------+ | (v4 mapped
O---.--------------O address)
|
User M
Private IPv4
Network
In above architecture the (NAT44) NAPT [RFC2663] function on a MAP CE is
extended with support for restricting the allowable TCP/UDP ports for a
given IPv4 address. Restricting those TCP/UDP ports by using SNAT fails
for related streams.
Lets take as an example a FTP client in ACTIVE mode which downloads a
file form the WAN. On the NAT box placed between LAN and WAN next
MASQUERADE rule is in place:
iptables -t nat -A zone_wan_postrouting -p tcp -j MASQUERADE --to-ports
4000-4500
We will see that the NAT box uses ports in the range 4000-4500 for its
control connection, however the data connection (predicted by the NAT
box) will use the ports used by the FTP client instead of using a port
out of the port range imposed by the MASQUERADE rule. The same problem
is present for other helpers too as we have RTSP/SIP/IRC/...
I'm wondering how this issue can be fixed, all suggestions/ideas are
welcome. Is there any specific reason why the NAT rules aren't checked
for the predictions?
Kind regards
Johan Peeters
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
