Ubuntu
linux package

POSTROUTING NAT doesn't operate on ISAKMP traffic

Bug #654311 reported by Derek Chen-Becker
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I have a Juniper firewall (SSG-5) that does ISAKMP with NAT behind my linux server. This works with the following iptables rule under linux-2.6.32.-24:

iptables -t nat -A POSTROUTING -s <my private network> -o eth1 -j SNAT --to <my public static IP>

Under linux-2.6.32-25, the NAT rule shows up in the listing of "iptables -t nat -nvL", but it fails to do a source translation. My private network, an RFC 1918 non-routable network, simply leaks out my public interface (confirmed by a tshark trace) and my ISP simply drops the packets.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: linux-image-2.6.32-25-generic 2.6.32-25.44
Regression: Yes
Reproducible: Yes
ProcVersionSignature: Ubuntu 2.6.32-24.43-generic 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic x86_64
NonfreeKernelModules: nvidia
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.21.
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: derek 3777 F.... pulseaudio
 /dev/snd/pcmC0D0p: derek 3777 F...m pulseaudio
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info:
 Card hw:0 'SB'/'HDA ATI SB at 0xfe024000 irq 16'
   Mixer name : 'Realtek ALC889A'
   Components : 'HDA:10ec0885,1458a002,00100101'
   Controls : 43
   Simple ctrls : 24
Card1.Amixer.info:
 Card hw:1 'CX8801'/'Conexant CX8801 at 0xf8000000'
   Mixer name : 'CX88'
   Components : ''
   Controls : 3
   Simple ctrls : 2
Date: Sun Oct 3 17:08:36 2010
HibernationDevice: RESUME=UUID=23a81355-31a4-4075-9ec9-c69a56975b98
MachineType: Gigabyte Technology Co., Ltd. GA-MA69G-S3H
ProcCmdLine: BOOT_IMAGE=/vmlinuz-2.6.32-24-generic root=/dev/mapper/BigDisks-Root ro quiet splash rootfstype=ext4 nomodeset video=uvesafb:mode_option=1024x768-24,mtrr=3,scroll=ywrap
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
RelatedPackageVersions: linux-firmware 1.34.1
RfKill:

SourcePackage: linux
WpaSupplicantLog:

dmi.bios.date: 12/29/2008
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: F7
dmi.board.name: GA-MA69G-S3H
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSoftwareInternational,Inc.:bvrF7:bd12/29/2008:svnGigabyteTechnologyCo.,Ltd.:pnGA-MA69G-S3H:pvr:rvnGigabyteTechnologyCo.,Ltd.:rnGA-MA69G-S3H:rvr:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvr:
dmi.product.name: GA-MA69G-S3H
dmi.sys.vendor: Gigabyte Technology Co., Ltd.

Revision history for this message
Derek Chen-Becker (dchenbecker) wrote :
Revision history for this message
Derek Chen-Becker (dchenbecker) wrote :

Just FYI, I ran apport after I had rebooted back to 2.6.32-24, so I just realized that some of the debug dumps are probably invalid.

Revision history for this message
Derek Chen-Becker (dchenbecker) wrote :

Also, other (non-ISAKMP) traffic, such as HTTP, SSH, etc, gets NATed just fine. It only seems to be the ISAKMP traffic.

Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
penalvch (penalvch) wrote :

Derek Chen-Becker, could you please test the latest upstream kernel available following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Please do not test the daily folder, but the one all the way at the bottom. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested. For example:
kernel-fixed-upstream-v3.11-rc5

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description. As well, please remove the tag:
needs-upstream-testing

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

As well, please remove the tag:
needs-upstream-testing

If you are unable to test the mainline kernel, please comment as to why specifically you were unable to test it and add the following tags:
kernel-unable-to-test-upstream
kernel-unable-to-test-upstream-VERSION-NUMBER

Once testing of the upstream kernel is complete, please mark this bug's Status as Confirmed. Please let us know your results. Thank you for your understanding.

tags: added: latest-bios-f7
removed: networking
Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.