* Serge Leschinsky (fish@...) wrote:
> Philippe Weill wrote:
> > Hi everybody
> > we are testing a new firewall with 1.4RC2
> > network is bonding + vlan
> > routing is ospf
> > if we load the iptable_nat module
> > even without any nat and firewall rules
> > ospf is not working anymore
> > 2009/10/01 06:40:22 OSPF: Link State Acknowledgment: Neighbor[192.168.20.9] state Init is less than
> > Exchange
> > any idea what we could test ?
> Does tcpdump show normal OSPF negotiation?
Thanks for your replies, I finally found the problem. Good news, this is
not a bug !
The first problem is our IP address to the net is a private address
(192.168.x.x), so to communicate I added a SNAT rules for everythings
going outside our firewall to the net with a private address.
But OSPF must not be NAT, never, otherwise it does work.
The interesting is after, because we try to stop iptables rules to see
if the was problem was there.
Not let see what append.
Since the the NAT is added the connection must be tracked, to perform
the reverse NAT for the reply.
The timeout for such connection (OSPF use protocol 89, so a state less
connection, unlike tcp) is 300 second by default.
Restarting iptables does not flush the connection tracking table (which
is normal, you do not want to break connection because you restart
iptables rules). So everything with same protocol and IP is still NATed
up to timeout.
OSPF sent an HELLO every 30 seconds, which is less than the timeout, so
once ospfd is running, no chance to reach the conntrack timeout...
The solution is adding an iptable rules to not NAT OSPF (-p 89) and to
reboot the firewall to flush the connection tracking table.
Since everything work fine.
CNRS - LATMOS
♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖