Bug 1016739

(In reply to Jari Turkia from comment #0)
> Additional info:
> The fix is to use SNAT-target instead of MASQUERADE. It works fully.

I wrote about this in detail into my blog. See http://blog.hqcodeshop.fi/archives/119-Bug-in-Linux-3.11-Netfilter-MASQUERADE-target-does-not-work-anymore.html

This is not an iptables problem. Reassigning to kernel.

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.12.6-200.fc19.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20.

If you experience different issues, please open a new bug report for those.

Yes, I still experience this issue on FC19 kernel versions 3.12.5-200.fc19.x86_64 and 3.12.6-200.fc19.x86_64. And since nothing has changed SNAT still does work properly.

Hi Jari,

interesting one. I'll be back home next week where I can look into this a bit
more. Likely a regression with 3.11.X. Do you know which version of the
kernel this used to work with?

There were a few potentially impacting changes since 3.7:
* 1eb4f75 - (2013-07-10 19:45:39 -0700)  ipv6: in case of link failure remove route directly instead of letting it expire <Hannes Fre
* 75a493e - (2013-07-02 12:44:18 -0700)  ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size <Hannes Frederic Sowa>
* c65ef8d - (2012-12-16 23:28:30 +0100)  netfilter: nf_nat: Also handle non-ESTABLISHED routing changes in MASQUERADE <Andrew Collins
* a0ecb85 - (2012-12-03 15:14:20 +0100)  netfilter: nf_nat: Handle routing changes in MASQUERADE target <Jozsef Kadlecsik>

Can't yet say they are related though.

thanks,
Michele

The issue is not so clear, that one would immediately notice it. In my environment there is also IPv6 (no NAT) and a HTTP-proxy on top of the fact that any short NATed connection will work as expected.

My best guess is that it never worked on Fedora 19. My previous install was a Fedora 17 and I had no problems there. That's also where I "inherited" the IPtables settings which had the MASQUERADE in them.

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.13.5-100.fc19.  Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you experience different issues, please open a new bug report for those.

On my 3.13.5-103.fc19.x86_64 the situation is even worse. On 3.11.3-201.fc19.x86_64 the transfer would last ~1 MiB and then hang, on a good day even 3 MiB. Now I'm struggling to get to 100 KiB before the hang occurs.

Still, using SNAT solves the issue. For testing I transferred 100 MiB without problems. However, SNAT requires an IP-address in the rule to function. My Internet connection is using DHCP, so any changes will need manual reconfiguration. MASQUERADE-rule does not have the address requirement and is better suited for dynamic IP-addresses.

This same bug exists in Fedora 20 kernel 3.13.6-200.fc20.x86_64.

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.14.4-100.fc19.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20.

If you experience different issues, please open a new bug report for those.

Updated this to Fedora 20

I had a chance to troubleshoot this scenario with someone else.

They were running an really odd MTU and blocking all ICMP.

In his case, the reason for the odd MTU was unknown, fixed everything to 1500 and could not duplicate the bug after that.

I suspect its somehow related to RELATED with MASQUERADE, but did not troubleshoot further since the users MTU was the bigger issue.

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs.

Fedora 20 has now been rebased to 3.17.2-200.fc20.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 21, and are still experiencing this issue, please change the version to Fedora 21.

If you experience different issues, please open a new bug report for those.

This bug is being closed with INSUFFICIENT_DATA as there has not been a response in over 3 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously.