Re: DNAT problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stefan Friedel a écrit :

OK, SNAT and DNAT do not support multiple --to any more in kernels above 2.6.10. But it is unclear to me whether they still support one IP address *range* (with round robin) or only one single IP address.

The range is still accepted as option for iptables 1.3.6, but it has no effect
with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
the DNAT target in PREROUTING -

One question : did you test this from only one single source IP address of from several source IP addresses ? SAME is designed to always give the same mapping to a given source address, and it seems that DNAT/SNAT do the same in kernels >= 2.6.11.

I remember reading something about this in kernel 2.6.11 changelog :
=======================================================================
  [PATCH] Remove Randomness in Selecting NAT IP Address

  We currently choose a "random" IP address to NAT to, where we have a
  range.  Martin Josefsson pointed out that he uses the SAME target in
  iptables because changing IP addresses breaks Internet banking sites
  (among others) which assume the customer will be coming from a
  consistent IP address.
  In fact, we spend a fair bit of effort trying to balance the number of
  connections we NAT to each IP address.  We can come pretty damn close
  just hashing the source and destination IP addresses, and it has the
  consistency property which is so desirable, as well as being faster.
========================================================================

I believe that with this patch the SNAT and DNAT targets behave in a way like the SAME target and always use the same mapping in the --to range for a given source IP address. However, when a range is specified, different sources may use different mappings. But it won't be a dynamic round robin, just a static hash. However I believe that when there are many different source addresses it can achieve some kind of load balancing.

What about the BALANCE target ? It's in the man page, but I had never heard of it.

In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
source). Obsolete? And I fear that it would not help, because the problem is
the missing round robin/load balancing in the Kernel.

I don't think so. Each target has its own code.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux