On Sat, Aug 06, 2005 at 06:17:56PM +0200, Harald Welte wrote: > Ok, I re-thought. Given the following assumptions (combined from your > three mails): > > 1) tcp/udp packets are matched by NOTRACK > 2) icmp errors for packets in '1' are matched by NOTRACK > 3) there are no NAT rules that affect the packets in '1' and '2'
Yes, that hold true in my setup. > > I see a case where packets get corrupted within iptable_nat. Please try > the attached (untested) patch attached to my mail. Tested, works for me, thank you. > > Still, my initial comments about this being an invalid setup upholds. > The NAT code needs to see all packets/connections in order to learn > about used port/ip tuples. Otherwise, when allocating a tuple, it could > reuse a tuple that is already used by a non-NAT'ed connection. It depends on the rules, doesn't it? In my case, it can not. > > So using nat in combination with NOTRACK should be prevented. I'll hack > up a patch for that, too. > > -- > - Harald Welte <[EMAIL PROTECTED]> http://gnumonks.org/ > ============================================================================ > "Privacy in residential applications is a desirable marketing option." > (ETSI EN 300 175-7 Ch. A6) > [NETFILTER] don't try to do any NAT on untracked connections > > With the introduction of 'rustynat' in 2.6.11, the old tricks of preventing > NAT of 'untracked' connections (e.g. NOTRACK target in 'raw' table) are no > longer sufficient. The ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK > effectively prevents iteration of the 'nat' table, but doesn't prevent > nat_packet() to be executed. Since nr_manips is gone in 'rustynat', > nat_packet() now implicitly thinks that it has to do NAT on the packet. > > This patch fixes that problem by explicitly checking for > ip_conntrack_untracked in ip_nat_fn(). > > Signed-off-by: Harald Welte <[EMAIL PROTECTED]> > > --- > commit c16fd4ffed6349d0888cd97a75d04394dac42021 > tree b4f0e73c7c36f3a52b23593c40f1f49353ba67e3 > parent 4d08142e287f852db3f4bfd614f2d73521bd7f07 > author Harald Welte <[EMAIL PROTECTED]> Sa, 06 Aug 2005 18:11:00 +0200 > committer Harald Welte <[EMAIL PROTECTED]> Sa, 06 Aug 2005 18:11:00 +0200 > > net/ipv4/netfilter/ip_nat_standalone.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/net/ipv4/netfilter/ip_nat_standalone.c > b/net/ipv4/netfilter/ip_nat_standalone.c > --- a/net/ipv4/netfilter/ip_nat_standalone.c > +++ b/net/ipv4/netfilter/ip_nat_standalone.c > @@ -100,6 +100,10 @@ ip_nat_fn(unsigned int hooknum, > return NF_ACCEPT; > } > > + /* Don't try to NAT if this packet is not conntracked */ > + if (ct == &ip_conntrack_untracked) > + return NF_ACCEPT; > + > switch (ctinfo) { > case IP_CT_RELATED: > case IP_CT_RELATED+IP_CT_IS_REPLY: ~ :wq With best regards, Vladimir Savkin. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html