On Fri, May 30, 2003 at 01:33:22AM -0400, Preston A. Elder wrote: > I have my router box, say, 192.168.0.1, and a range of IP's behind it, say, > 10.0.0.0/24, for arguments sake. I also have an application on the router > box listening on 100 ports, say, 5000-5100. My uplink interface is eth0, and > the interface with all the 10.0.0.0 addresses is on eth1. a perfectly fine setup. > Now, I add an iptables rules something like the following: > > iptbales -t nat -A PREROUTING -j REDIRECT -i eth0 -p tcp -d 10.0.0.0/24 > - --destination-port 1025:65535 --to-ports 5000-5100 > > If I then telnet to 10.0.0.1 on port 5050, the connection is immediate, and my > application receives a new connection on port 5050. If, however, I telnet to > 10.0.0.1 on port 5150, there is a small (but noticable) delay between when > the telnet session shows the connection as established, and when the > application receives the connection (on a random port between 5000 and 5100 > inclusive). This is _definitely_ not a netfilter issue then. We are not doing transparent proxying but nat. netfilter/iptables _never_ accept connections on their own. So you open a connection: 1. telnet 10.0.0.1 5150 2. syn packet is sent by telnet 3. syn packet is DNAT'ed by netfilter 4. syn packet arrives at server application 5. syn/ack packet is sent by server application 6. syn/ack packet is SNAT'ed by netfilter 7. syn/ack packet is received by telnet [further handshake goes on] x. telnet application prints 'Connection established' (connect(2) call returns) This is a fundamental tcp/ip operation, and it can certainly by no way be anything that netfilter does, that would introduce a behaviour like 1. telnet 10.0.01 5150 2. telnet shows 'connection established' 3. connection 'arrives' at server [which is what you have been describing, If I understood you correctly]. > - - I'm talking a system than can get thousands of new connections a second > (the hardware is up to it, we're talking gb's of ram, and SMP machines). As > with my above small test case, connecting to a port in the 'to-ports' range > gives me an immediate connection (on the application), but the delay between > telnet showing the connection established, and the application receiving the > connection (and establishing it) grows dramaticaly, even taking over a minute > for the application to receive the connection. Hell, even the time for > telnet to show the connection as established is much greater when connecting > to a port outside the 'to-ports' range than when connecting to one within > this range. Again, no way. This seems to be some issue with your server application. > - -- > PreZ > Systems Administrator > Shadow Realm -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00467.pgp
Description: PGP signature
