Re: PPTP connection tracking and NAT patches

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Harald Welte <laforge@netfilter.org>
Cc: Jeff Hall <hall@vdata.com>, netfilter-devel@lists.netfilter.org
Subject: Re: PPTP connection tracking and NAT patches
Date: Thu, 27 Mar 2003 10:16:40 +1000	[thread overview]
Message-ID: <3E8242E8.3050609@snapgear.com> (raw)
In-Reply-To: 20030326152047.GY21953@sunbeam.de.gnumonks.org

Harald Welte wrote:
> On Thu, Mar 20, 2003 at 03:32:46AM -0500, Jeff Hall wrote:
>>I was also having problems running a PoPToP server on the firewall server.
>>The reason turned out to be that I had not chosen CONFIG_IP_NF_NAT_LOCAL
>>thinking that I did not need to NAT my local connections since my local
>>machines IP was not the same as the IP I am using for NAT. It turns out that
>>even if a connection does not satisfy any NAT rule the helper function is
>>called in do_bindings. Without CONFIG_IP_NF_NAT_LOCAL set the helper function
>>was being called for DST manipulations but not for SRC manipulations. My
>>question to netfilter gurus is shouldn't the helper function be skipped if
>>the connection doesn't satisfy any NAT rule?
> 
> 
> Mh.  If we don't have any nat mappings, we shouldn't call the helper.

We use the TCP source port of the control channel for the call ID when
NATting.  For this to work, we have to NAT both forwarded and local
connections, otherwise there is a possibility of a call ID clash.
Since the original call ID is usually different from the TCP source
port, there will be a nat mapping for local connections, and the
helper needs to be called.  If we get reservation of call IDs, then
this behaviour can be changed.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

next prev parent reply	other threads:[~2003-03-27  0:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-20  8:32 PPTP connection tracking and NAT patches Jeff Hall
2003-03-26 15:20 ` Harald Welte
2003-03-27  0:16   ` Philip Craig [this message]
2003-03-27  9:22     ` Harald Welte
2003-03-26 15:48 ` Harald Welte
2003-04-08 10:31   ` Jeff Hall
  -- strict thread matches above, loose matches on Subject: below --
2003-03-22  2:05 Jeff Hall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E8242E8.3050609@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=hall@vdata.com \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.