On Mon, Nov 05, 2001 at 10:09:26AM -0800, Brian Kuschak wrote: > Here's my first try at a PPTP helper module for netfilter. The patch is > against 2.4.12. Testing so far has shown that it works with multiple PPTP > clients (windows only tested so far). There are two known problems:
First of all, thanks again for your valuable netfilter/iptables contribution. As you might know, I had already started implementing a PPTP conntrack/NAT helper back in 2000 (there should be some articles about it in the list archives). Unfortunately I never finished the project and almost forgot about it. Your submission of a pptp conntrack/nat helper reminded me again about this topic. I had an in-depth look on the sourcecode of your helper, and found several issues: - It assumes that all GRE traffic is PPTP (there are other GRE-based protocols) - GRE (a layer-four protocol) is implemented using an application layer helper. As a result, the connection tracking core doesn't really know about GRE data connections (and isn't showing them correctly in /proc/net/ip_conntrack) Also, the NAT core is not used for GRE NAT alterations - but instead a helper function called for every packet of the data connection. - it is missing size checks at several places. short packets could make the code read past the end of packet - it assumes that tcp headers are fixed-length Resulting from the fundamentally different design of an application helper and a layer-four protocol helper, it would have been difficult to convert your code. However, I have now finished my implementation of a GRE conntrack/NAT protocol helper and PPTP conntrack/nat application helper. It is based very much on Gordon Chafee's 2.2.x ip_masq_pptp code, and I've also stolen some ideas from your code :) I'm really sorry that this was ending up this way. It's a very bad feeling to duplicate the effort of other people :(. I really don't want to harm your motivation with regard to contributing netfilter/iptables.. Plase feel free to flame me if you want... I would be happy if you (and everybody else) could have a look at the new pptp-gre-ct-nat-0.83 patch which is now in patch-o-matic (btw: it needs all p-o-m patches from the 'pending' section). I would be interested in testing, especially with non-linux clients and servers. Every feedback is appreciated. Thanks. > Regards, > Brian Kuschak -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
