Re: conntrack/NAT module

Harald Welte Tue, 04 Jun 2002 00:47:47 -0700

On Mon, Jun 03, 2002 at 12:06:38PM +0800, luoqiang wrote:
> Hi,all
> 
> Sorry to resend this mail,last mail is not can be seen.
> I am writing a DNAT module to achieve the purpose which is  identical to
>  "iptables -A PREROUTING -t nat -p udp -d 159.226.1.1 --dport 5000 -j DNAT 
> --to 192.168.1.2:5000".
> 
> host A-------------------------------->host 
> B------------------------------------->host C
> 159.226.1.2--------------->159.226.1.1/192.168.1.1--------------->192.168.1.2
> 
> I have read the hacking howto and have finished the conntrack module,which 
> can be seen in "proc/net/ip_conntrack" 
> file of host B as"EXPECTING : proto=17 src=0 dst=159.226.1.1 sport=0 
> dport=5000"
> But something wrong in my nat module.
> After loaded the module, no DNAT happened. :-(
> there are some questions I don't understand.
> 1.what's the function of foo_help in struct ip_nat_helper?I do nothing here.


to mangle (nat) the payload of the master connection (i.e. if it contains
an internal IP address sent by the client behind SNAT to the server).

> 2. what's the function of struct ip_nat_multi_range here?what's the function  
>    of struct ip_nat_range range[0] and  struct ip_nat_range range[1]?(I don't 
>    know what's the meaning of " hangs off end. ")

hangs off end == after the end of the structure

> 3.how to configure the struct ip_nat_multi_range when do DNAT?

look  at line 81... of ip_nat_ftp.c

> 4.if I want to close the port after open it in a module,how I can do?

how do you open a port in a module?  everything you do is creating conntrack
entries and NAT bindings.

> my code is here:
> ......
>   static int foo_nat_expected(struct sk_buff **pksb,
>                           unsigned int hooknum,
>                           struct ip_conntrack *ct,
>                           struct ip_nat_info *info,
>                           struct ip_conntrack *master,
>                           struct ip_nat_info *masterinfo,
>                           unsigned int *verdict)
>  
>   {
>      struct ip_nat_multi_range mr;
>      u_int32_t newdstip = 0x0201a8c0;
>      if (HOOK2MANIP(hooknum)==IP_NAT_MANIP_DST){        
>   
>      mr.rangesize=1;
>      mr.range[0].flags = IP_NAT_RANGE_PROTO_SPECIFIED;   //  I don't know 
> what's the meaning here

PROTO_SPECIFIED == NAT of port
IP == NAT of IP address

please look more detailed at the other available examples.

> luoqiang

-- 
Live long and prosper
- Harald Welte / [EMAIL PROTECTED]               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

msg01146/pgp00000.pgp
Description: PGP signature

Re: conntrack/NAT module

Reply via email to