[PATCH] - PPTP/GRE masquerading helper
Mon, 5 Nov 2001 14:48:58 -0800 (PST)
--- Tom Eastep <firstname.lastname@example.org> wrote:
> Hi Brian,
> Very glad to see that you've tackled this -- I've had it on my todo
> list for some time but it hasn't reached to top yet :-)
> I tried the patch briefly and saw the following:
> a) When the first NATed PPTP connection was initiated, a PPTP session
> from the firewall (using pptp-linux) to another PPTP server was
> terminated. I could not restart that session.
> b) The module use counts for ip_nat_pptp and ip_conntrack_pptp aren't
> being incremented when there are active sessions with the result that
> the modules can be removed using rmmod. Needless to say, an oops
> follows shortly...
This is a design flaw in the whole conntrack/NAT helper system. Currently,
there is no way to lock a module interactively so that it won't be removed while
connections are passing through it. When 2.5 opens I can try a few ideas I have
> c) I depend on a ESTABLISHED, RELATED filter rule to allow incoming GRE
> packets; it looks like there is something wrong it that area as I saw 4
> or 5 incoming GRE packets dropped before I shot myself in the foot by
> removing the modules.
> I'll install your patch on a test firewall so I can crash and burn
> without taking shorewall.net down when problems occur. Hopefully I can
> get you some more information about problems a) and c).
Permanent e-mail: email@example.com
Current e-mail: firstname.lastname@example.org
Alternate e-mail: email@example.com
Do You Yahoo!?
Find a job, post your resume.