lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4716510E.3090300@andrei.myip.org>
Date:	Wed, 17 Oct 2007 11:14:38 -0700
From:	Florin Andrei <florin@...rei.myip.org>
To:	netdev@...r.kernel.org
Subject: Re: stateless 1:1 NAT

Herbert Xu wrote:
> Florin Andrei <florin@...rei.myip.org> wrote:
>> I've heard that stateless 1:1 NAT will be possible with the upcoming 
>> 2.6.24 kernel.
>> I'd like to test that feature, but I'm not sure when it will actually be 
>> included. Will it be present in the release candidates for 2.6.24?
>> I just need a somewhat stable kernel tree to play with.
> 
> Yes it will be.

So here's the thing I'm trying to solve.

Gigabit network.
Dual homed firewall, doing 1:1 NAT for a bunch of web servers. Some 
protocols are allowed inbound to the servers (the external, NATed 
addresses).
Firewall is running CentOS 5 (kernel 2.6.18)

I run pktgen on a test machine to generate a whole lot of small UDP 
packets with random source addresses. I send the packets to the 
firewall, to one of the 1:1 NATed addresses, to a port that's blocked by 
the firewall.
Meanwhile, I'm downloading a 2GB file from a web server through the 
firewall, in a while [ 1 ] loop, to monitor the functioning of the firewall.

When I start the UDP flood, the current download is able to finish up, 
but a new one won't start. The firewall has one of the cores pegged at 
100% CPU usage, with a lot of interrupts being generated all the time.
I assume there's something related to conntrack, that's why I want to 
test stateless rules. I assume the firewall has much less work to do if 
it's doing everything stateless, at least at the NAT level.

Is it going to be possible to combine stateless 1:1 NAT with stateful 
filtering?

By the way:
OpenBSD 4.1 as a firewall fails even worse in this test case (it freezes 
instantly).
OpenBSD 4.2 works fine under the UDP flood, as if nothing happened.

-- 
Florin Andrei

http://florin.myip.org/
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ