lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20090407143509.05ab3b28.akpm@linux-foundation.org>
Date:	Tue, 7 Apr 2009 14:35:09 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	netdev@...r.kernel.org
Cc:	bugme-daemon@...zilla.kernel.org, berni@...kenwald.de
Subject: Re: [Bugme-new] [Bug 12954] New: SAMEIP --nodst functionality gone
 missing


(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

"massive issues"!

On Fri, 27 Mar 2009 16:48:06 GMT
bugzilla-daemon@...zilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=12954
> 
>            Summary: SAMEIP --nodst functionality gone missing
>            Product: Networking
>            Version: 2.5
>     Kernel Version: 2.6.25+
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Netfilter/Iptables
>         AssignedTo: networking_netfilter-iptables@...nel-bugs.osdl.org
>         ReportedBy: berni@...kenwald.de
>         Regression: Yes
> 
> 
> This was already briefly discussed on the netfilter mailinglist, but did not
> spark much response there. However I think this issue is a pretty obvious
> regression over old kernel versions and might hit quite a few people once the
> newer kernels get deployed into large NAT setups.
> 
> Back in the days of 2.6.18 there was the SAME target which allowed, with the
> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT
> range regardless of the destination address.
> 
> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from
> the kernel sources due to being obsolete, since the same functionality was now
> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch to
> mimic the behaviour of SAME with --nodst in nf_nat by dropping the destination
> IP from the jhash. The patch was dropped shortly after because it apparently
> showed some uneven distribution.
> 
> The whole thread can be read at
> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670
> .
> 
> This thread went dead, I tried to revive it but did not get an answer. We're
> getting hit by this regression because we are currently NATing some thousand IP
> addresses (student dorms) to an external /28. It works fine with our old
> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with
> connections from the same internal address to different destinations getting
> NATed to different addresses in the pool. Which breaks, for example, ICQ quite
> badly.
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ