A NAT masquerading race condition is observed in a setup where continous ping traffic is launched from a device on the lan towards a device on the internet. The WAN interface has masquerading enabled, the default firewall forward policy is reject and is regularly brought down/up. Initially everything is fine; ping packets leave the WAN interface with as source IP the WAN IP but after the WAN interface has been toggled a number of times the ping packets leave the WAN with as source IP the LAN IP. The situation nevers recovers on subsequent WAN interface toggles as the connection with the wrong NAT state is kept alive due to the pings generated by the LAN device; with tcp/udp traffic the situation will mostly recover as applications will switch the source port when the initial connection fails. The problem is related to the loading order of the iptable rules in the different tables; current order used by the firewall package is filter/nat/mangle/raw. Meaning there's a small window in which ping packets are not rejected by the filter forward hook while the masquerade rule in the nat table is not present. Reversing the load order in the firewall package (thus raw/mangle/nat/filter) solves the issue. However this is not a rock solid solution as the problem will persist if the default firewall forward policy is accept. Any suggestions/ideas how the problem can be solved for all cases ?
Thx, Hans _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
