[PATCH] - PPTP/GRE masquerading helper

[Brad Chapman]

Mr. Eastep,

--- Tom Eastep <teastep@shorewall.net> wrote:
> Hi Brian,
> 
> Very glad to see that you've tackled this -- I've had it on my todo 
> list for some time but it hasn't reached to top yet :-)
> 
> I tried the patch briefly and saw the following:
> 
> a) When the first NATed PPTP connection was initiated, a PPTP session 
> from the firewall (using pptp-linux) to another PPTP server was 
> terminated. I could not restart that session.
> 
> b) The module use counts for ip_nat_pptp and ip_conntrack_pptp aren't 
> being incremented when there are active sessions with the result that 
> the modules can be removed using rmmod. Needless to say, an oops 
> follows shortly...

	This is a design flaw in the whole conntrack/NAT helper system. Currently,
there is no way to lock a module interactively so that it won't be removed while
connections are passing through it. When 2.5 opens I can try a few ideas I have
brewing.......

> 
> c) I depend on a ESTABLISHED, RELATED filter rule to allow incoming GRE 
> packets; it looks like there is something wrong it that area as I saw 4 
> or 5 incoming GRE packets dropped before I shot myself in the foot by 
> removing the modules.
> 
> I'll install your patch on a test firewall so I can crash and burn 
> without taking shorewall.net down when problems occur. Hopefully I can 
> get you some more information about problems a) and c).
> 
> -Tom 

Brad 


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net

__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com