Help Needed in Connection Tracking/NAT

Help Needed in Connection Tracking/NAT

[Nagaraj G]

Hello Everyone,

I am a developer working on a new application module (NAT ALG) using the
netfilter NAT/ConnTrack framework.

I am using Linux 2.4.10 kernel.

I am facing a strange problem with the ConnTrack/NAT framework which I
am not able to understand. Can you please help me understanding the
framework and help me in solving my problem.

My application protocol is as follows:

1. A new packet is sent from a port X to a well known port MY_PORT. I
hook my NAT helper for MY_PORT and I get called for this packet to
mangle the contents.

2. The response for the above packet does not come to X at all, It
always comes to MY_PORT. So, I create a new expectation using
expect_related.

3. In one scenario, the response packet comes from MY_PORT destined to
MY_PORT. In this scenario, my Nat_Expect function gets called for
MANIP_DST and I supply the destIp and destPort (which again is MY_PORT)
of the internal host in multi_range structure and call nat_setup_info.
After this I attach my helper to the info supplied. After this, I get
called into my Nat_Help routine to handle this packet for the contents
which I do and complete the packet. After this, for all the outgoing
packets destined to MY_PORT, I don't see my Nat_Help routine getting
called. The packets go out without the content being mangled.

4. In another scenario, the response packet comes from a new port Y
destined to MY_PORT. In this scenario also, I do the same things as in 3
above. But, in this case, I get called for all future packets going out.


I am not able to understand what is going wrong in this scenario
mentioned in 3 above. 

Please help me.

Am I missing something? Do you want me send you the code snippets?


By the way, is Rustie or Harald listening on this list?


Thanks in advance

Best Regards,

Nagaraj

Re: Help Needed in Connection Tracking/NAT

[Henrik Nordstrom]

On Tue, 24 Feb 2004, Nagaraj G wrote:

> I am a developer working on a new application module (NAT ALG) using the
> netfilter NAT/ConnTrack framework.
> 
> I am using Linux 2.4.10 kernel.

Please upgrade. There has been substantial changes in the NAT framework
interface in later Linux-2.4 releases.

> 3. In one scenario, the response packet comes from MY_PORT destined to
> MY_PORT. In this scenario, my Nat_Expect function gets called for
> MANIP_DST and I supply the destIp and destPort (which again is MY_PORT)
> of the internal host in multi_range structure and call nat_setup_info.
> After this I attach my helper to the info supplied. After this, I get
> called into my Nat_Help routine to handle this packet for the contents
> which I do and complete the packet. After this, for all the outgoing
> packets destined to MY_PORT, I don't see my Nat_Help routine getting
> called. The packets go out without the content being mangled.

Ok. This case is different as MY_PORT is not the destination port. I am 
not sure how to set the NAT helper protocol of expected connections once 
accepted.

> 4. In another scenario, the response packet comes from a new port Y
> destined to MY_PORT. In this scenario also, I do the same things as in 3
> above. But, in this case, I get called for all future packets going out.

I think these will be automatically recognised to use the same NAT helper
due to the destination port of the connection being MY_PORT. Not sure if
this is intentional or not (probably should not as it is an expected
connection, not a new connection).

Regards
Henrik