From mboxrd@z Thu Jan 1 00:00:00 1970 From: Friedrich Lobenstock Subject: Re: extra/pptp-conntrack-nat.patch Date: Fri, 11 Apr 2003 23:26:21 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <3E9732FD.1010804@fl.priv.at> References: Reply-To: Netfilter Development Mailinglist Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Return-path: To: Netfilter Development Mailinglist In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Hello! Ilguiz Latypov wrote: > > The following chart represents my understanding of the PPTP tracking > modules capabilities in their current state. I assumed that uncommenting > the "return NF_ACCEPT" statement in question is equivalent to not tracking > a connection with bad TCP checksum. [....] > > connection from connection from > behind the NAT box the NAT box itself > > good TCP bad TCP good TCP bad TCP > checksum checksum checksum checksum > > > no PPTP modules 1 1 + + For connections from behind the NAT box I can not confirm this. > > > unmodified PPTP modules + + - - > without the local NAT option > > unmodified PPTP modules + + + + > with the local NAT option > > uncommented "return NF_ACCEPT" > for bad TCP checksums + 1 - + > without the local NAT option > > uncommented "return NF_ACCEPT" > for bad TCP checksums + 1 + + > with the local NAT option > > > ------------------ > +: Any number of connections of given class is treated correctly. > -: No connection possible. > 1: Only one connection at a time will work in these cases. If this refers > to the "behind the NAT box" connections, no connections from the NAT > box itself should be allowed for this to work. > As the local nat patch is not in patch-o-matic-20030107 did not get applied to my kernel, but for me that's irrelevant, as I don't currently use pptp from the linux maschine itself. -- MfG / Regards Friedrich Lobenstock