On Mon, May 27, 2002 at 12:32:32PM +0200, Balazs Scheidler wrote: > As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed > at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled > DEBUGP at the top of ip_nat_core.c): > > icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4 > icmp_reply_translation: translating error c396f260 hook 0 dir REPLY, num_manips=2 > icmp_reply: manip 0 dir ORIG hook 4 > icmp_reply: manip 1 dir REPLY hook 0 > icmp_reply: outer DST -> 192.168.131.124 > > As it seems the inner manip is not called, as it is registered to hook 4 > (POST_ROUTING, ORIG) > > As POST_ROUTING will never be called in ORIG-inal direction for this packet, > the inner packet is never translated.
I was wrong here. The same manip is applied at different hooks (once at PRE_ROUTING and once at POST_ROUTING) > I see two ways of fixing the issue: > * fix icmp_reply_translation() to perform all of its translation at the same > time (both the inner and the outer header) > * register a NAT hook at LOCAL_IN, and perform translation of packets > registered at (POST_ROUTING, ORIG) > > The first option seems to be doable, the second is a big change, though > seems to be cleaner. I implemented option #1, and the patch is below. However I'm not 100% sure that I'm free to translate the inner packet at PREROUTING time. (it must have had some reasons that it was performed at POST_ROUTING time) Functionality wise the patch seems to work all-right. --- ip_nat_core.c.old Mon May 27 04:53:09 2002 +++ ip_nat_core.c Mon May 27 05:00:23 2002 @@ -843,7 +843,7 @@ packet, except it was never src/dst reversed, so where we would normally apply a dst manip, we apply a src, and vice versa. */ - if (info->manips[i].hooknum == opposite_hook[hooknum]) { + if (info->manips[i].hooknum == hooknum) { DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n", info->manips[i].maniptype == IP_NAT_MANIP_SRC ? "DST" : "SRC", @@ -854,9 +854,9 @@ &info->manips[i].manip, !info->manips[i].maniptype, &skb->nfcache); - /* Outer packet needs to have IP header NATed like - it's a reply. */ - } else if (info->manips[i].hooknum == hooknum) { + /* Outer packet needs to have IP header NATed like + it's a reply. */ + /* Use mapping to map outer packet: 0 give no per-proto mapping */ DEBUGP("icmp_reply: outer %s -> %u.%u.%u.%u\n", -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1