Bug 249286 - 2.6.23.x kernels: IP MASQUERADE problem
2.6.23.x kernels: IP MASQUERADE problem
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
rawhide
powerpc Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-23 11:05 EDT by Joseph Sacco
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-26 11:56:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joseph Sacco 2007-07-23 11:05:07 EDT
The nf_conntrack_ipv4 is no being longer automatically loaded when the other
modules that support IP masquerading are loaded. The absence of this module
being loaded disables networking for Mac-On-Linux. 

This appears to be a regression issue

   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235392

-Joseph
Comment 1 David Woodhouse 2007-07-23 11:31:47 EDT
This doesn't seem at all related to bug 235392. You reported on IRC that
iptable_nat is now loaded, without nf_conntrack_ipv4. In older kernels, the
iptable_nat module would depend on nf_conntrack_ipv4 -- evidently it now doesn't. 
Comment 2 Thomas Woerner 2007-07-23 12:29:21 EDT
You can add nf_conntrack_ipv4 to IPTABLES_MODULES in
/etc/sysconfig/iptables-config, this should solve your problem.

Which version of system-config-securitylevel have you used to generate the
firewall configuration? Please attach your system-config-securitylevel file.
Comment 3 Joseph Sacco 2007-07-23 14:51:30 EDT
Thomas,

Thomas,

I am using the latest rawhide update as of 23jul07:

   * system-config-securitylevel-1.8.0-1.fc7

/etc/sysconfig/system-config-securitylevel

   #Configuration file for system-config-securitylevel
   #Copyright (c) 2002 Red Hat, Inc.  all rights reserved

-Joseph
   --high


Comment 4 Thomas Woerner 2007-07-24 06:16:17 EDT
Please downgrade to system-config-securitylevel-1.7.0-3.fc8 and
system-config-securitylevel-tui-1.7.0-3.fc8. The 1.8.0 version was removed from
devel again. (You can use "rpm -Uhv --oldpackage <package>,.." for this)
Reconfigure your firewall afterwards.

Or you can use the new system-config-firewall tool from
http://people.redhat.com/twoerner/system-config/. Steps needed for you:
1) uninstall system-config-securitylevel*
2) download
http://people.redhat.com/twoerner/system-config/system-config-firewall-1.0.1-2.fc8.src.rpm
3) rpmbuild --rebuild system-config-firewall-1.0.1-2.fc8.src.rpm
4) install system-config-firewall and system-config-firewall-tui
5) configure the firewall and make sure to leave Multicast DNS support on
Comment 5 Joseph Sacco 2007-07-24 12:00:48 EDT
Thomas,

Per your instructions, I downgraded system-config-securitylevel* and rebooted. 
I see no change in behavior.  

I also tried adding nf_conntrack_ipv4 to IPTABLES_MODULES in
/etc/sysconfig/iptables-config,

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="nf_conntrack_ipv4"

              ...

[followed by a reboot] which oddly enough did not solve the problem.

To refocus the issue... The problem seems to be what happens when NAT is set up.

Mac-On-Linux is a virtual machine that runs an Apple OS, OS9.x or OS X, on a
linuxPPC. The Mac OS communicates with the host though an IP tunnel. To
communicate with the outside world, IP masquerading is set up when MOL is
started.  The MOL start script manually sets up an IP tunnel and the IP
masquerading and shuts these down on exit.  Bug #235392 contains some simple
code extracted from MOL that exercises this process.


-Joseph
Comment 6 Thomas Woerner 2007-07-24 12:06:58 EDT
Is nf_conntrack_ipv4 now loaded?
Comment 7 Joseph Sacco 2007-07-25 11:17:03 EDT
Short answer: No... 

Module                  Size  Used by
xt_tcpudp               3488  2 
ipt_MASQUERADE          4192  1 
iptable_nat             8164  1 
nf_nat                 21752  2 ipt_MASQUERADE,iptable_nat
nf_conntrack           78312  3 ipt_MASQUERADE,iptable_nat,nf_nat
nfnetlink               7288  2 nf_nat,nf_conntrack
ip_tables              16148  1 iptable_nat
x_tables               18180  4 xt_tcpudp,ipt_MASQUERADE,iptable_nat,ip_tables
tun                    13696  1 
mol                    59880  1 
                          ...

nd_conntrack_ipv4 gets loaded only if I manually load it with modprobe:
 
Module                  Size  Used by
nf_conntrack_ipv4      12644  0 
xt_tcpudp               3488  0 
ipt_MASQUERADE          4192  0 
iptable_nat             8164  0 
nf_nat                 21752  2 ipt_MASQUERADE,iptable_nat
nf_conntrack           78312  4 nf_conntrack_ipv4,ipt_MASQUERADE,iptable_nat,nf_nat
nfnetlink               7288  3 nf_conntrack_ipv4,nf_nat,nf_conntrack
ip_tables              16148  1 iptable_nat
x_tables               18180  4 xt_tcpudp,ipt_MASQUERADE,iptable_nat,ip_tables
tun                    13696  0 
mol                    59880  0 
                              ...

Once loaded, NAT works fine.

-Joseph
Comment 8 Thomas Woerner 2007-07-25 12:03:06 EDT
If you have nf_conntrack_ipv4 in IPTABLES_MODULES, service iptables start have
to print out, that it is loading the module. If the module is already loaded,
than then you will get FAILED, otherwise OK. 

Please attach /etc/sysconfig/iptables and /etc/sysconfig/iptables-config.
Comment 9 Joseph Sacco 2007-07-25 12:12:19 EDT
Thomas,

On my system:

   /etc/sysconfig/iptables does not exist

   /etc/sysconfig/iptables-config is shown below

-Joseph

==================================================
# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="nf_conntrack_ipv4"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
Comment 10 Thomas Woerner 2007-07-26 05:43:48 EDT
"/etc/sysconfig/iptables does not exist" ??

Without firewall rules there is no firewall - Use lokkit and generate a new
firewall configuration and try again.
Comment 11 Joseph Sacco 2007-07-27 15:50:54 EDT
Thomas,

I am not running a firewall [at present] because the Linksys router I use has
one built in.

Bug #235392, contains a copy of the Mac-On-Linux networking config script and a
C code test harness [see comments #3 and #4 of 234392]. All of the iptable
manipulation voodoo is performed by the that networking config script.

The networking support in MOL works on many 32-bit PPC distros running kernels
ranging from 2.4.x to 2.6.x. Something has changed in the latest 2.6.23.x
kernels that breaks the IP Masquerading for the tunnel between MOL and the host
system. If this "something" is a new policy, I need to know what it is so I can
pass it on to the MOL developers.  If it is a bug rather than a feature, it
needs to be fixed.


-Joseph
Comment 12 Ralf Ertzinger 2007-07-31 09:56:44 EDT
There is the case of someone simply adding rules on the command line (I usually
do this on some machines to do  set up ad-hoc networks.

Until now using "-j MASQUERADE" used to load all necessary modules for the rule
to work, this is now no longer the case.
Comment 13 Thomas Woerner 2007-09-26 11:56:54 EDT
It seems that some declarations moved from the nf_conntrack_ipv4 netfilter
kernel module to the nf_nat netfilter kernel module. 

Therefore I think the solution for you is to manually load the module.

Closing as "NOT A BUG"

Note You need to log in before you can comment on or make changes to this bug.