Red Hat Bugzilla – Bug 126611
"Fast NAT" routing but not NAT'ing
Last modified: 2007-11-30 17:07:02 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)
Description of problem:
"Fast NAT" is broken in the Red Hat Enterprise Linux kernel 2.4.21-15.EL (and in all of the vanilla linux 2.6.x kernels). Fast NAT is enabled by the CONFIG_IP_ROUTE_NAT kernel option.
Specifically, when Fast NAT rules are defined in the routing table (via the appropriate `ip` commands) packets are routed following the rules but the destination ip address is not changed (nat'ed) appropriately.
The cause seems to be that net/ipv4/ip_forward.c:ip_forward() and net/ipv4/ip_output.c:ip_output() functions no longer call the net/ipv4/ip_nat_dumb.c:ip_do_nat() function. In the "vanilla" 2.4.21 linux kernel (and other 2.4 kernels) , ip_do_nat() is called appropriately from these functions.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup two linux boxes normally on the same layer 2 network. I'm assuming the interfaces on both boxes are eth0.
2. On the "Fast NAT" box (FNb), do the following as root:
i. echo 1 > /proc/sys/net/ipv4/ip_forward
ii. /sbin/ip addr add 10.10.10.1/24 dev eth0
iii. /sbin/ip route add nat 10.10.10.3 via 10.10.10.2
iv. /sbin/ip route flush cache
v. run /usr/sbin/tcpdump -i eth0 net 10.10.10.0/24
3. On the second box (sb), do the following as root:
i. /sbin/ip addr add 10.10.10.2/24 dev eth0
ii. /sbin/ip route add 10.10.10.3 via 10.10.10.1
ii. ping 10.10.10.3
iii. In a separate terminal, run /usr/sbin/tcpdump -i eth0 dst 10.10.10.3.
Actual Results: The FNb tcpdump shows that it is receiving the ping echo requests destined for 10.10.10.3. The sb tcpdump shows two entries for each ping echo request; once for when the packet was sent out and once for when it was received after been routed (but not nat'ed) via FNb
Expected Results: For each ping echo request send, the sb tcpdump should show ping echo requests with 10.10.10.2 as the dst address (in addition to the 10.10.10.3 packets that it sends out).
FAST NAT is not a supported feature in RHEL3, it had to
be removed in order to integrate IPSEC support.
It seems incomplete that the CONFIG_IP_ROUTE_NAT option is still
available (and used in route.c and friends) and that the (unused)
ip_nat_dumb.c code is still distributed with kernels. Is it the case
that this option and code will eventually be taken out or will Fast
NAT be put back in the kernel?