On Monday 08 July 2002 1:31 pm, Tsachi Sharfman wrote: > Hi, > > I would like to add a NAT rule on a gateway while connections are passing > through it, and have the rule apply to existing connections. I understand > this is not the behavior when the rule is simply added to the NAT table, > since netfilter consults the NAT table only for the first packet of the > connection. I assume that if I can delete connection tracking information > on the gateway, once a packet belonging to an existing connection passes > through the gateway netfilter will regard it as a new connection (since > there is no connection tracking information for it), and apply the new NAT > rules that existing connection. My questions are: > > 1. Is my assumption correct?
Depends whether you're talking about TCP connections or not. If you are talking about TCP, then I do not believe this assumption is valid, because only the very first packet of a connection contains the SYN flag, and only the second packet contains the SYN/ACK, which are the first two steps of the TCP three-way handshake. Without those the connection tracking system won't set up an ESTABLISHED connection, and the automatic NAT rules won't apply. However, a more serious problem is what do you possibly want to change in the NAT rules for a connection which is currently in progress, which isn't going to seriously upset either the client or the server on the ends of the connection ? Antony.
