Re: [netfilter-core] iptables/conntrack in enterprise environment.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, May 30, 2003 at 01:33:22AM -0400, Preston A. Elder wrote:

> I have my router box, say, 192.168.0.1, and a range of IP's behind it, say, 
> 10.0.0.0/24, for arguments sake.  I also have an application on the router 
> box listening on 100 ports, say, 5000-5100.  My uplink interface is eth0, and 
> the interface with all the 10.0.0.0 addresses is on eth1.

a perfectly fine setup.

> Now, I add an iptables rules something like the following:
> 
> iptbales -t nat -A PREROUTING -j REDIRECT -i eth0 -p tcp -d 10.0.0.0/24 
> - --destination-port 1025:65535 --to-ports 5000-5100
> 
> If I then telnet to 10.0.0.1 on port 5050, the connection is immediate, and my 
> application receives a new connection on port 5050.  If, however, I telnet to 
> 10.0.0.1 on port 5150, there is a small (but noticable) delay between when 
> the telnet session shows the connection as established, and when the 
> application receives the connection (on a random port between 5000 and 5100 
> inclusive).

This is _definitely_ not a netfilter issue then.  We are not doing
transparent proxying but nat.  netfilter/iptables _never_ accept
connections on their own.  So you open a connection:

1. telnet 10.0.0.1 5150
2. syn packet is sent by telnet
3. syn packet is DNAT'ed by netfilter
4. syn packet arrives at server application
5. syn/ack packet is sent by server application
6. syn/ack packet is SNAT'ed by netfilter
7. syn/ack packet is received by telnet
 [further handshake goes on]
x. telnet application prints 'Connection established' (connect(2) call
   returns)

This is a fundamental tcp/ip operation, and it can certainly by no way
be anything that netfilter does, that would introduce a behaviour like

1. telnet 10.0.01 5150
2. telnet shows 'connection established'
3. connection 'arrives' at server

[which is what you have been describing, If I understood you correctly].

> - - I'm talking a system than can get thousands of new connections a second 
> (the hardware is up to it, we're talking gb's of ram, and SMP machines).  As 
> with my above small test case, connecting to a port in the 'to-ports' range 
> gives me an immediate connection (on the application), but the delay between 
> telnet showing the connection established, and the application receiving the 
> connection (and establishing it) grows dramaticaly, even taking over a minute 
> for the application to receive the connection.  Hell, even the time for 
> telnet to show the connection as established is much greater when connecting 
> to a port outside the 'to-ports' range than when connecting to one within 
> this range.

Again, no way.  This seems to be some issue with your server
application.  

> - -- 
> PreZ
> Systems Administrator
> Shadow Realm

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: pgp00467.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux