From: Patrick McHardy <kaber@trash.net>
To: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] xx_nat_proto_gre: do not modify/corrupt GREv0 packets thought NAT
Date: Wed, 02 May 2007 15:52:56 +0200 [thread overview]
Message-ID: <463897B8.1090306@trash.net> (raw)
In-Reply-To: <029801c78cc0$91179600$061010ac@intranet.dti2.net>
Jorge Boncompte [DTI2] wrote:
> ----- Original Message ----- From: "Patrick McHardy" <kaber@trash.net>
>> I think the problem with this is that we don't know whether both keys
>> are identical at connection setup time and thus might fail to even
>> track the connection if they are not.
>
>
> Yes, you are right, we don't know if both keys are identical as there
> is nothing like a "key exchange" before. So we will only support, as I
> stated, the connections that have the same key. And I even did not try
> to DNAT the packets.
The problem is that this at the same time causes us *not* to work
properly anymore with connections with different keys, right?
> I have not thinked much about it but for a "full"(only connections
> with same key) solution we would need something alongside the
> xt_tcpudp.c (and userspace code) where we could match different keys to
> allow the DNAT code to redirect the connections to different hosts.
> The SNAT part only should be easy but I don't know if that is likely
> to be accepted. What's your opinion?
I'll take it a patch if doesn't break something else (like connections
with different keys).
prev parent reply other threads:[~2007-05-02 13:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-19 16:18 [PATCH] xx_nat_proto_gre: gre_key returns wrong pointer Jorge Boncompte [DTI2]
2007-04-24 12:50 ` Patrick McHardy
2007-04-26 17:34 ` Jorge Boncompte [DTI2]
2007-04-27 11:21 ` Patrick McHardy
2007-04-27 11:47 ` [PATCH] xx_nat_proto_gre: do not modify/corrupt GREv0 packets thought NAT Jorge Boncompte [DTI2]
2007-05-02 12:25 ` Patrick McHardy
2007-05-02 13:21 ` Jorge Boncompte [DTI2]
2007-05-02 13:23 ` Patrick McHardy
2007-05-02 13:48 ` Jorge Boncompte [DTI2]
2007-05-02 13:52 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=463897B8.1090306@trash.net \
--to=kaber@trash.net \
--cc=jorge@dti2.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.