[OpenAFS] Multi-homed server and NAT-ed client issues

Derrick Brashear shadow@gmail.com
Wed, 17 Jul 2013 11:09:08 -0400 

--047d7b2e3e10addd2b04e1b6798d
Content-Type: text/plain; charset=ISO-8859-1

bind openafs to S-IP-2; all the servers include the -rxbind option, and if
exactly one IP address is available after you apply NetInfo and
NetRestrict, it will do what you want.


On Wed, Jul 17, 2013 at 10:43 AM, Ciprian Dorin Craciun <
ciprian.craciun@gmail.com> wrote:

>     Hello all!  I've encountered quite a blocking issue in my OpenAFS
> setup...  I hope someone is able to help me... :)
>
>
>     The setup is as follows:
>     * multi-homed server with, say S-IP-1 (i.e. x.x.x.5) and S-IP-2
> (i.e. x.x.x.7), multiple IP addresses, all from the public range;
>     * the second IP, S-IP-2 (i.e. x.x.x.7), is the one listed in
> `NetInfo` and DNS record (and correctly listed when queried via `vos
> listaddrs`);
>     * the first IP, S-IP-1 (i.e. x.x.x.5), is listed in
> `NetRestricted` (and doesn't appear in `vos listaddrs`);
>     * NAT-ed client (no multi-home on the client side);
>
>     The actual problem is:
>     * the client sends the authentication request to S-IP-2;
>     * the client's router source-NAT's the IP to its own public IP,
> and adds the UDP "connection" with S-IP-2 as the other peer to its
> conntrack table;
>     * the server receives the request on S-IP-2;
>     * !!! however it replies from S-IP-1 (i.e. x.x.x.5) !!!  (probably
> because the UDP socket is bound on `0.0.0.0`...)
>     * the client's router receives the packet and can't find it in its
> conntrack table (because it expects the packet to come from S-IP-2);
>
>     As a note everything works perfect with non-NAT-ed clients.
> Moreover on these public-IP-ed clients, I can clearly see via
> `tcpdump` that outgoing packets go towards S-IP-2, but the replies
> come from S-IP-1.  (The same asymmetry is visible also on the server.)
>
>
>     Thus my question is how can I resolve such an issue?
>
>
>     I must say I've tried to `iptables -j SNAT ...` outgoing packets
> to the right S-IP-2, however this doesn't work because SNAT also
> changes the source port.  I've also tried to `-j NETMAP` these
> packets, but it doesn't work because NETMAP in the `OUTPUT` or
> `POSTROUTING` tables actually touch the destination...  Thus if
> someone knows of an `iptables`...
>
>     Thanks,
>     Ciprian.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>


-- 
Derrick

--047d7b2e3e10addd2b04e1b6798d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">bind openafs to S-IP-2; all the servers include the -rxbin=
d option, and if exactly one IP address is available after you apply NetInf=
o and NetRestrict, it will do what you want.<br></div><div class=3D"gmail_e=
xtra">
<br><br><div class=3D"gmail_quote">On Wed, Jul 17, 2013 at 10:43 AM, Cipria=
n Dorin Craciun <span dir=3D"ltr">&lt;<a href=3D"mailto:ciprian.craciun@gma=
il.com" target=3D"_blank">ciprian.craciun@gmail.com</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">
=A0 =A0 Hello all! =A0I&#39;ve encountered quite a blocking issue in my Ope=
nAFS<br>
setup... =A0I hope someone is able to help me... :)<br>
<br>
<br>
=A0 =A0 The setup is as follows:<br>
=A0 =A0 * multi-homed server with, say S-IP-1 (i.e. x.x.x.5) and S-IP-2<br>
(i.e. x.x.x.7), multiple IP addresses, all from the public range;<br>
=A0 =A0 * the second IP, S-IP-2 (i.e. x.x.x.7), is the one listed in<br>
`NetInfo` and DNS record (and correctly listed when queried via `vos<br>
listaddrs`);<br>
=A0 =A0 * the first IP, S-IP-1 (i.e. x.x.x.5), is listed in<br>
`NetRestricted` (and doesn&#39;t appear in `vos listaddrs`);<br>
=A0 =A0 * NAT-ed client (no multi-home on the client side);<br>
<br>
=A0 =A0 The actual problem is:<br>
=A0 =A0 * the client sends the authentication request to S-IP-2;<br>
=A0 =A0 * the client&#39;s router source-NAT&#39;s the IP to its own public=
 IP,<br>
and adds the UDP &quot;connection&quot; with S-IP-2 as the other peer to it=
s<br>
conntrack table;<br>
=A0 =A0 * the server receives the request on S-IP-2;<br>
=A0 =A0 * !!! however it replies from S-IP-1 (i.e. x.x.x.5) !!! =A0(probabl=
y<br>
because the UDP socket is bound on `0.0.0.0`...)<br>
=A0 =A0 * the client&#39;s router receives the packet and can&#39;t find it=
 in its<br>
conntrack table (because it expects the packet to come from S-IP-2);<br>
<br>
=A0 =A0 As a note everything works perfect with non-NAT-ed clients.<br>
Moreover on these public-IP-ed clients, I can clearly see via<br>
`tcpdump` that outgoing packets go towards S-IP-2, but the replies<br>
come from S-IP-1. =A0(The same asymmetry is visible also on the server.)<br=
>
<br>
<br>
=A0 =A0 Thus my question is how can I resolve such an issue?<br>
<br>
<br>
=A0 =A0 I must say I&#39;ve tried to `iptables -j SNAT ...` outgoing packet=
s<br>
to the right S-IP-2, however this doesn&#39;t work because SNAT also<br>
changes the source port. =A0I&#39;ve also tried to `-j NETMAP` these<br>
packets, but it doesn&#39;t work because NETMAP in the `OUTPUT` or<br>
`POSTROUTING` tables actually touch the destination... =A0Thus if<br>
someone knows of an `iptables`...<br>
<br>
=A0 =A0 Thanks,<br>
=A0 =A0 Ciprian.<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a><br=
>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-info</a><br>
<br>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Derrick
</div>

--047d7b2e3e10addd2b04e1b6798d--