[OpenWrt-Devel] [RFC] firewall: NAT masquerading race condition

Hans Dedecker dedeckeh at gmail.com
Wed Feb 11 08:21:37 EST 2015

A NAT masquerading race condition is observed in a setup where continous ping
traffic is launched from a device on the lan towards a device on the internet.
The WAN interface has masquerading enabled, the default firewall forward policy
is reject and is regularly brought down/up.
Initially everything is fine; ping packets leave the WAN interface with as source
IP the WAN IP but after the WAN interface has been toggled a number of times the
ping packets leave the WAN with as source IP the LAN IP.
The situation nevers recovers on subsequent WAN interface toggles as the connection
with the wrong NAT state is kept alive due to the pings generated by the LAN device;
with tcp/udp traffic the situation will mostly recover as applications will switch
the source port when the initial connection fails.
The problem is related to the loading order of the iptable rules in the different
tables; current order used by the firewall package is filter/nat/mangle/raw.
Meaning there's a small window in which ping packets are not rejected by the filter
forward hook while the masquerade rule in the nat table is not present.
Reversing the load order in the firewall package (thus raw/mangle/nat/filter) solves
the issue. However this is not a rock solid solution as the problem will persist
if the default firewall forward policy is accept.
Any suggestions/ideas how the problem can be solved for all cases ?

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list