FS#2541 - Hardware offloading causes some flows to fail to be NAT-ed #7331
Labels
flyspray
kernel
pull request/issue with Linux kernel related changes
release/19.07
pull request/issue targeted (also) for OpenWrt 19.07 release
bjonglez:
Just after a reboot, some flows are not NATed: packets from a machine in the LAN are sent to the WAN port with a private source IP address.
This is on a Linksys RE6500 (ramips mt7621) running openwrt 19.07-SNAPSHOT r10578-b3d70f628.
It is configured with ''flow_offloading'' and ''flow_offloading_hw''.
Here is a tcpdump capture showing the problem on the WAN port (''172.23.184.0/24'' is my LAN address space):
root@openwrt:~# tcpdump -n -i eth0.20 net 172.23.184.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.20, link-type EN10MB (Ethernet), capture size 262144 bytes
18:51:21.756552 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 112
18:51:22.651556 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 148
18:51:26.681032 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 768
18:51:27.771654 IP 172.23.184.119.51001 > 91.224.XX.YY.52001: UDP, length 148
Here is what ''conntrack -L'' says:
udp 17 55 src=172.23.184.119 dst=91.224.XX.YY sport=51001 dport=52001 packets=93 bytes=20412 [UNREPLIED] src=91.224.XX.YY dst=172.23.184.119 sport=52001 dport=51001 packets=0 bytes=0 mark=0 use=1
Notice the second ''dst='' that shows the private IP address of the LAN machine.
After restarting the firewall, the flow is correctly NAT-ed and ''conntrack -L'' shows the correct entry (193.33.ZZ.WW is my public IP address):
udp 17 175 src=172.23.184.119 dst=91.224.XX.YY sport=51001 dport=52001 packets=4 bytes=704 [UNREPLIED] src=91.224.XX.YY dst=193.33.ZZ.WW sport=52001 dport=51001 packets=0 bytes=0 mark=0 use=1
Note: when I only enable ''flow_offloading'', the issue does not appear anymore, so this really seems to be an issue with the hw offloading integration in the firewall.
The text was updated successfully, but these errors were encountered: