* T/TCP connections not NATed
@ 2006-12-04 8:23 Frederik Deweerdt
2006-12-04 14:45 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: Frederik Deweerdt @ 2006-12-04 8:23 UTC (permalink / raw)
To: netfilter
Hi,
We're trying to use a home brewed T/TCP stack in addition to Linux plain
SNAT. Everything works as expected, except for the first packet, which
is not NATed. Communication is as follows:
C S
1. SYN*
2. DATA
3. SYN/ACK*
4. ACK*
5. REST_OF_COM*
[*] The packet is NATed
Our hypothesis du jour, is that packet #2 is not NATed because it is
not currently part of a connection from netfilter point of view. Hence
my questions:
- Does our hypothesis seem you reasonable?
- If yes, is it possible to tell NAT to ignore the connection
tracking informations, and NAT all the packets getting out of
a given interface
- If not, what do you reckon could be the cause for having the
#2 packet not NATed?
Thanks,
Frederik
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: T/TCP connections not NATed
2006-12-04 8:23 T/TCP connections not NATed Frederik Deweerdt
@ 2006-12-04 14:45 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2006-12-04 14:45 UTC (permalink / raw)
To: netfilter
Hello,
Frederik Deweerdt a écrit :
>
> We're trying to use a home brewed T/TCP stack in addition to Linux plain
> SNAT. Everything works as expected, except for the first packet, which
> is not NATed.
I guess you mean the _second_ packet ?
> Communication is as follows:
>
> C S
> 1. SYN*
> 2. DATA
> 3. SYN/ACK*
> 4. ACK*
> 5. REST_OF_COM*
>
> [*] The packet is NATed
>
>
> Our hypothesis du jour, is that packet #2 is not NATed because it is
> not currently part of a connection from netfilter point of view. Hence
> my questions:
> - Does our hypothesis seem you reasonable?
Yes. A TCP data segment before the end of the 3-way handshake is not
supposed to happen in standard TCP, so the TCP connection tracking in
kernel >= 2.6.9 considers such packet as INVALID, and the NAT skips
INVALID packets. You can check this by logging packets in the INVALID
state with LOG rules.
> - If yes, is it possible to tell NAT to ignore the connection
> tracking informations, and NAT all the packets getting out of
> a given interface
You cannot tell stateful NAT (iptables NAT) to ignore the connection
tracking informations because it needs them to work properly. But you
can try to tell the connection tracking to be less strict with TCP
connections by setting the kernel parameter
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1. I suppose
packet #2 should be seen in the NEW state with this setting, so don't
drop or reject non-SYN TCP packets which are in the NEW state.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-12-04 14:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-04 8:23 T/TCP connections not NATed Frederik Deweerdt
2006-12-04 14:45 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox