Why iptables rules pass netperf TCP_STREAM test through, but break UDP_STREAM?
I have a network:
+---------------+
| |
[client]--[NAT]--[server]
On the NAT, I have added the following iptables rules:
$ iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
$ iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
It works well, when I run ping server on the client, when I run netperf through TCP, and when I run netperf through UDP via the direct connection. But it does not work if I run:
$ netperf -H 192.168.2.10 -t UDP_STREAM -l 1
MIGRATED UDP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.2.10 () port 0 AF_INET : demo
send_data: data send error: errno 101
netperf: send_omni: send_data failed: Network is unreachable
It seems, the iptables firewall blocks the UDP packets.
Is it so, and how do I configure it not to?
Answer
The answer is here: https://stackoverflow.com/a/24211455/1234026
In short: netperf disables IP routing by default for UDP_STREAM test, and if the target address is in a different subnet, it fails to find the route. To make it act normally, I need to supply -R 1 key as a test-specific option.
No comments:
Post a Comment