Subject: kern/8579: ipnat fails for 1st connection after dynamic IP assignment
To: None <gnats-bugs@gnats.netbsd.org>
From: None <ingolf@knuut.de>
List: netbsd-bugs
Date: 10/07/1999 13:22:09
>Number: 8579
>Category: kern
>Synopsis: ipnat fails for 1st connection after dynamic IP assignment
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Oct 7 13:20:01 1999
>Last-Modified:
>Originator: Ingolf Koch
>Organization:
Beste Kneipe in Jena-Ost
>Release: NetBSD-current 1998-10-04
>Environment:
System: NetBSD isdn 1.4K NetBSD 1.4K (ISDN) #0: Tue Oct 5 22:46:10 MEST 1999 ingolf@isdn:/usr/obj/sys/arch/i386/compile/ISDN i386
>Description:
The situation: a LAN with some hosts and a router/firewall
connected to this LAN which has a dial-on-demand link with
dynamic IP address assignment to the Internet.
On the router, /etc/ipnat.conf looks like this:
map isp0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
map isp0 192.168.2.0/24 -> 0/32 portmap tcp/udp 20000:30000
map isp0 192.168.2.0/24 -> 0/32
rdr isp0 0/0 port ftp -> 192.168.2.1 port ftp tcp
The /etc/ipf.conf file is empty. The router's default route is
set to isp0's destination. (isp0 is the ISDN interface --
using the native ppp0 shows the same problem.) The default routes
of all other hosts are set to the router's LAN address.
Now, a host on the LAN wants to make e.g. a TCP connection to
some host not on the LAN. The following happens (I think):
1) This host sends a SYN (with local source address) to the
router. This packet is to be routed to the Internet (after
rewriting the source address).
2) The router dials out, and an IP address for isp0 is received.
3) The host sends another SYN packet to the router (with local
source address).
4) The router does not rewrite the source address but discards
the packet.
5) Goto step 3)
IMHO, ipnat (on the router) should recognize that
- the IP address of the isp0 (or ppp0, ...) interface has changed
- it has never sent SYN (or whatever) packets for the requested
connection out of the isp0 interface before (so there has not
been any IP packet with its source address rewritten to the old
isp0 IP address)
- it can safely start rewriting source addresses for this connection
with the newly assigned IP address.
Restarting the corresponding client after the new IP address has
been assigned to the router works well, i.e. the router correctly
rewrites the source address of the packets and sends them out.
>How-To-Repeat:
See description above.
>Fix:
not known
>Audit-Trail:
>Unformatted: