[OpenAFS] Multi-homed server and NAT-ed client issues

Ciprian Dorin Craciun ciprian.craciun@gmail.com
Wed, 17 Jul 2013 17:43:12 +0300

    Hello all!  I've encountered quite a blocking issue in my OpenAFS
setup...  I hope someone is able to help me... :)

    The setup is as follows:
    * multi-homed server with, say S-IP-1 (i.e. x.x.x.5) and S-IP-2
(i.e. x.x.x.7), multiple IP addresses, all from the public range;
    * the second IP, S-IP-2 (i.e. x.x.x.7), is the one listed in
`NetInfo` and DNS record (and correctly listed when queried via `vos
    * the first IP, S-IP-1 (i.e. x.x.x.5), is listed in
`NetRestricted` (and doesn't appear in `vos listaddrs`);
    * NAT-ed client (no multi-home on the client side);

    The actual problem is:
    * the client sends the authentication request to S-IP-2;
    * the client's router source-NAT's the IP to its own public IP,
and adds the UDP "connection" with S-IP-2 as the other peer to its
conntrack table;
    * the server receives the request on S-IP-2;
    * !!! however it replies from S-IP-1 (i.e. x.x.x.5) !!!  (probably
because the UDP socket is bound on ``...)
    * the client's router receives the packet and can't find it in its
conntrack table (because it expects the packet to come from S-IP-2);

    As a note everything works perfect with non-NAT-ed clients.
Moreover on these public-IP-ed clients, I can clearly see via
`tcpdump` that outgoing packets go towards S-IP-2, but the replies
come from S-IP-1.  (The same asymmetry is visible also on the server.)

    Thus my question is how can I resolve such an issue?

    I must say I've tried to `iptables -j SNAT ...` outgoing packets
to the right S-IP-2, however this doesn't work because SNAT also
changes the source port.  I've also tried to `-j NETMAP` these
packets, but it doesn't work because NETMAP in the `OUTPUT` or
`POSTROUTING` tables actually touch the destination...  Thus if
someone knows of an `iptables`...