[Jool-list] WARNING (find_bib_session6): I'm running out of pool4 addresses for mark 0.
Brian J. Murrell
brian at interlinx.bc.ca
Tue Mar 15 16:48:13 CDT 2022
On Tue, 2022-03-15 at 15:08 -0600, Alberto Leiva wrote:
> > My
> > understanding of that is that ports are not mapped unless >1
> > RFC1918
> > hosts happen to use the same source ports, so "extra" ports are not
> > even necessary until there is such a collision.
>
> Not sure if I understand you correctly, but I don't think that's how
> it works.
Why map a source port if it's not being used by the NATting device,
either for itself or for another device? I.e. 192.168.0.1:1234-
>8.8.8.8:443 should map simply to 204.1.2.4:1234->8.8.8.8:334 assuming
that 204.1.2.4 is the external IP address and that port 1234 is not in
use by either the NAT device or another 192.168.0.0/24 host. Then your
pool of ports is 65535 ports, not just a few thousand.
This is how netfilter seems to do it. Witness:
client-window1$ telnet 1.2.3.4 8888
client-window2$ ss -apn | grep 1.2.3.4
tcp SYN-SENT 0 1 10.75.22.1:34030 1.2.3.4:8888
nat_router# tcpdump -i eth0.2 -s 0 -n host 1.2.3.4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
17:38:45.568717 IP 135.23.51.187.34030 > 1.2.3.4.8888: Flags [S], seq 1198725277, win 64240, options [mss 1460,sackOK,TS val 3032196574 ecr 0,nop,wscale 7], length 0
17:38:54.080731 IP 135.23.51.187.34030 > 1.2.3.4.8888: Flags [S], seq 1198725277, win 64240, options [mss 1460,sackOK,TS val 3032205086 ecr 0,nop,wscale 7], length 0
As you can see, nat44 on linux is using the client port that the
internal host used as it's own client port.
> A mapping needs to be created every time a new source port is used.
Yes, understood. But the entire 64K of ports are usable and only need
re-mapping if in use, which should be rare on small internal networks.
> (BTW: BIB binding = BIB entry)
Since I have no idea what BIB is even BIB entry and BIB binding are
equally opaque. But it's probably not important.
> Add "-i ilinx" (without quotes) between "jool" and "bib".
I did try that already but since it simply repeated the same error with
the word ilinx instead of default I didn't think that was the solution:
# jool -i ilinx bib display --tcp --numeric
Error: The kernel module returned error 3: This namespace lacks an instance named 'ilinx'.
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20220315/0011b2a4/attachment.bin>
More information about the Jool-list
mailing list