Re: [PATCH] nf_nat: restrict ICMP translation for embedded header

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Julian Anastasov <ja@ssi.bg>
Cc: netfilter-devel@vger.kernel.org, lvs-devel@vger.kernel.org
Subject: Re: [PATCH] nf_nat: restrict ICMP translation for embedded header
Date: Wed, 13 Oct 2010 21:21:19 +0200	[thread overview]
Message-ID: <4CB606AF.4040207@trash.net> (raw)
In-Reply-To: <alpine.LFD.2.00.1010111103470.3743@ja.ssi.bg>

Am 11.10.2010 10:23, schrieb Julian Anastasov:
> 
>     Skip ICMP translation of embedded protocol header
> if NAT bits are not set. Needed for IPVS to see the original
> embedded addresses because for IPVS traffic the IPS_SRC_NAT_BIT
> and IPS_DST_NAT_BIT bits are not set. It happens when IPVS performs
> DNAT for client packets after using nf_conntrack_alter_reply
> to expect replies from real server.
> 
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
> ---
> 
>     I'm not very familiar with this code, so this change
> must not be considered as trivial. May be there was a
> reason the embedded header to be translated before the NAT
> bits are set?

This seems OK to me, but I need to think about it a bit more,
this code is subtle.

next prev parent reply	other threads:[~2010-10-13 19:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-10-11  8:23 [PATCH] nf_nat: restrict ICMP translation for embedded header Julian Anastasov
2010-10-13 19:21 ` Patrick McHardy [this message]
2010-10-21 11:15   ` Patrick McHardy
2010-10-21 11:27     ` Simon Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CB606AF.4040207@trash.net \
    --to=kaber@trash.net \
    --cc=ja@ssi.bg \
    --cc=lvs-devel@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.