Re: SNAT multiple address allocation, connection tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2004-06-14 at 17:57, Andrew Dunstan wrote:
> Hi,
> 
> I have this problem.
> 
> eth0 is internal network, eth1 is external network
> eth1 has a large set of additional virtual addresses
> 
> all connections go from internal to external
> 
> Third party app does this in fairly quick succession: telnet session, 
> close, ftp (non-passive), close, pop3 session, close.
> 
> The app needs each of these to get the same SNAT address (from the pool 
> of virtual addresses) on the external interface, because at the other 
> end some state is kept based on the IP address (crazy, I know, but true).
> 
> However, if another host uses the same address it in effect clobbers the 
> previous state, so each host (within some shortish period) needs to get 
> a different address from any other host.
> 
> My reading suggests that SNAT with a range does some sort of round robin 
> or LRU on a per connection basis, rather than reusing an address that 
> the same host recently used. Is this correct?
> 
> I can't nail the addresses up, because some will be DHCPd hosts from a 
> larger pool than I have available.
> 
> Can someone please suggest a combination of modules and rules that will 
> do what I need?
> 
> TIA
> 
> andrew

Ouch! That's a tough one.  If it were not for the address pool mismatch,
you could use the NETMAP patch.  The only thought that comes immediately
to mind is to move the application to some shared pool of virtual
servers.  That is, set up some number of terminal servers /thin client
hosts with addresses that are mapped one-to-one through NETMAP and have
users access the application through some thin client mechanism.

If the likelihood of simultaneous access is remote, I suppose one could
nail up all the addresses with one SNAT each (yuch!) even if there is
some duplication but I hate solutions where I know success is a matter
of probability and not predetermined based upon sound engineering!

I'll be curious to see what some of the more experienced folks with more
think time come up with short of writing some custom helper module -
John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux