From: Philip Craig <philipc@snapgear.com>
To: netfilter-devel@lists.samba.org
Subject: [PATCH] NAT for unreplied connections
Date: Tue, 04 Jun 2002 18:43:54 +1000 [thread overview]
Message-ID: <3CFC7DCA.9030801@snapgear.com> (raw)
Hi,
The nat table is only used for the first packet in each
connection. This poses a problem if the events such as the
following occur:
1. TCP SYN packet sent, but no reply received.
2. iptables rules change or routing table changes such that
the TCP SYN packet should be NATed differently.
3. TCP SYN packet resent, but is NATed using the conntrack
created by the initial conntrack, and so it never reaches its
destination, or the reply is never received.
Currently, the only solution for this is to create a new
connection, often requiring the application to be killed and
restarted. This can happen for UDP connections and pings
too.
I searched in the list archives and found one other person
has noticed this problem too, but there were no replies:
http://lists.samba.org/pipermail/netfilter-devel/2002-January/003166.html
I've included a patch which changes the IP conntracking such
that the conntrack is recreated if a packet is sent in the
original direction before any replies are seen.
This solves my current problems, but my testing is fairly
minimal so far. Can anyone see any problems with this patch,
or have a better solution?
One problem may be that since the new conntrack may not have
the same source port as the original, UDP protocols that
don't require replies immediately after the first packet may
fail.
Regards,
Phil
--- linux-2.4.x/net/ipv4/netfilter/ip_conntrack_core.c 2 Oct 2001 09:36:12 -0000 1.1.1.2
+++ linux-2.4.x/net/ipv4/netfilter/ip_conntrack_core.c 4 Jun 2002 07:52:40 -0000 1.3
@@ -584,6 +584,16 @@
/* look for tuple match */
h = ip_conntrack_find_get(&tuple, NULL);
+
if (h && !(h->ctrack->status & IPS_SEEN_REPLY)
+
&& DIRECTION(h) == IP_CT_DIR_ORIGINAL) {
+
/* No reply yet, so recreate the conntrack in case the
+
NAT rules have changed. */
+
if (del_timer(&h->ctrack->timeout)) {
+
death_by_timeout((unsigned long)h->ctrack);
+
ip_conntrack_put(h->ctrack);
+
h = NULL;
+
}
+
}
if (!h) {
h = init_conntrack(&tuple, proto, skb);
if (!h)
next reply other threads:[~2002-06-04 8:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-04 8:43 Philip Craig [this message]
2002-06-04 13:01 ` [PATCH] NAT for unreplied connections Henrik Nordstrom
2002-06-05 1:23 ` Philip Craig
2002-06-05 6:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CFC7DCA.9030801@snapgear.com \
--to=philipc@snapgear.com \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.