New NAT/Conntrack modules (NetBIOS, SQLNet, DNS)

[S. Lockwood-Childs]

> Hi folks,
> I am starting to work on NAT and conntrack modules for
> 
>  - NetBIOS (to enable WINS, NetLogon etc. over NAT)
>  - Oracle SQLNet (for those fscking Oracle-on-NT-Servers)
>  - DNS (for implementing NAT like Cisco's PIX)
> 
> But before I start, I wanted to ask if someone else is working on something
> like that, so that we could join forces.
> 
> Regards, Joerg

I really like your idea of implementing DNS doctoring in netfilter.
I'd like to help out, if you're still looking for coders; I've already 
written basic iptables modules for fun so I'm not a total beginner.

I have a design question before getting started on any code however --
do you think it is necessary to do NAT with conntrack for DNS? I think
that DNS connections are pretty simple, and that you do not really need
to keep track of state. It seems to me that you could just do a simple
mangling target instead: DNS packets will be matched by a normal port rule,
then the target would peek inside the data for an A type record and
mangle it if appropriate

iptables -p tcp --sport 53 -j DNS --from-ip x.x.x.x --to-ip y.y.y.y 
iptables -p udp --sport 53 -j DNS --from-ip x.x.x.x --to-ip y.y.y.y 

What are the advantages to writing this as a helper instead?

--SJLC