netperf + iptables masquerade -> network unreachable

Question

Why iptables rules pass netperf TCP_STREAM test through, but break UDP_STREAM?

I have a network:

    +---------------+
    |               |
[client]--[NAT]--[server]

On the NAT, I have added the following iptables rules:

$ iptables -t nat -L:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere 

$ iptables -L: Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

It works well, when I run ping server on the client, when I run netperf through TCP, and when I run netperf through UDP via the direct connection. But it does not work if I run:

$ netperf -H 192.168.2.10 -t UDP_STREAM -l 1
MIGRATED UDP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.2.10 () port 0 AF_INET : demo
send_data: data send error: errno 101
netperf: send_omni: send_data failed: Network is unreachable

It seems, the iptables firewall blocks the UDP packets.

Is it so, and how do I configure it not to?

Answer 1

The answer is here: https://stackoverflow.com/a/24211455/1234026

In short: netperf disables IP routing by default for UDP_STREAM test, and if the target address is in a different subnet, it fails to find the route. To make it act normally, I need to supply -R 1 key as a test-specific option.