[PATCH] - PPTP/GRE masquerading helper

[Tom Eastep]

Hi Brian,

On Monday 05 November 2001 10:09 am, Brian Kuschak wrote:
> Here's my first try at a PPTP helper module for netfilter.  The patch
> is against 2.4.12.  Testing so far has shown that it works with
> multiple PPTP clients (windows only tested so far).  There are two
> known problems:
>
> 1) if you are using an SNAT pool with more than one address, it
> doesn't work 2) one person reported not being able to use more than 4
> simultaneous clients
>
> After applying, make menuconfig and select the PPTP Masq under
> netfilter options.
>
> Any feedback/testing would appreciated.  Thanks to all those who have
> done so already!
>

Very glad to see that you've tackled this -- I've had it on my todo=20
list for some time but it hasn't reached to top yet :-)

I tried the patch briefly and saw the following:

a) When the first NATed PPTP connection was initiated, a PPTP session=20
from the firewall (using pptp-linux) to another PPTP server was=20
terminated. I could not restart that session.

b) The module use counts for ip_nat_pptp and ip_conntrack_pptp aren't=20
being incremented when there are active sessions with the result that=20
the modules can be removed using rmmod. Needless to say, an oops=20
follows shortly...

c) I depend on a ESTABLISHED, RELATED filter rule to allow incoming GRE=20
packets; it looks like there is something wrong it that area as I saw 4=20
or 5 incoming GRE packets dropped before I shot myself in the foot by=20
removing the modules.

I'll install your patch on a test firewall so I can crash and burn=20
without taking shorewall.net down when problems occur. Hopefully I can=20
get you some more information about problems a) and c).

-Tom=20
--=20
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \_________________________