Hi All, Apologies, I was unsure on if this belonged in v6ops, softwires or elsewhere, but I'll start here.
I've been putting MAP-T through its paces in our lab recently, using OpenWRT/LEDE as the MAP CE, and have come across a slight issue with how things are currently implemented. When using a BMR that overloads a subscriber's IPv4 address, and allocates each subscriber multiple port sets, OpenWRT currently instantiates iptables SNAT rules for each port set. Problem is, netfilter doesn't consider the current conntrack session state when it's evaluating the rules. The result is that the first matching rule is always used, and if all sports in that port set are consumed, then any new flows are dropped. Now I don't consider this to be an OpenWRT implementation issue, and I doubt it will be considered a bug in netfilter either, as I believe it's known and expected behaviour. At best I think it's a netfilter feature/enhancement request to be able to fully support RFC7597/9. As far as I see it, the mitigations are: * Use BMRs that assign only a single contiguous port set to each subscriber * Feature request over on the Netfilter Bugzilla ( https://bugzilla.netfilter.org/show_bug.cgi?id=1227 ) to consider conntrack sessions before SNATting * Create specific SNAT rules that match original sport range to the same outside sport range, and then have a catch-all rule at the end. (Bit of a kludge and won't stop the catch-all getting overloaded) Can anyone else think of a better approach to the iptables ruleset, or even better is anyone in this WG a Netfilter dev? -Richard _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
