PPTP/GRE conntrack/nat helper
Wed, 13 Mar 2002 17:25:12 +0100
On Mon, Nov 05, 2001 at 10:09:26AM -0800, Brian Kuschak wrote:
> Here's my first try at a PPTP helper module for netfilter. The patch is
> against 2.4.12. Testing so far has shown that it works with multiple PPTP
> clients (windows only tested so far). There are two known problems:
First of all, thanks again for your valuable netfilter/iptables contribution.
As you might know, I had already started implementing a PPTP conntrack/NAT
helper back in 2000 (there should be some articles about it in the list
archives). Unfortunately I never finished the project and almost forgot about
Your submission of a pptp conntrack/nat helper reminded me again about this
I had an in-depth look on the sourcecode of your helper, and found several
- It assumes that all GRE traffic is PPTP (there are other GRE-based protocols)
- GRE (a layer-four protocol) is implemented using an application layer helper.
As a result, the connection tracking core doesn't really know about GRE
data connections (and isn't showing them correctly in /proc/net/ip_conntrack)
Also, the NAT core is not used for GRE NAT alterations - but instead a helper
function called for every packet of the data connection.
- it is missing size checks at several places. short packets could make the
code read past the end of packet
- it assumes that tcp headers are fixed-length
Resulting from the fundamentally different design of an application helper
and a layer-four protocol helper, it would have been difficult to convert
However, I have now finished my implementation of a GRE conntrack/NAT
protocol helper and PPTP conntrack/nat application helper.
It is based very much on Gordon Chafee's 2.2.x ip_masq_pptp code, and I've
also stolen some ideas from your code :)
I'm really sorry that this was ending up this way. It's a very bad feeling
to duplicate the effort of other people :(. I really don't want to harm your
motivation with regard to contributing netfilter/iptables.. Plase feel free to
flame me if you want...
I would be happy if you (and everybody else) could have a look at the new
pptp-gre-ct-nat-0.83 patch which is now in patch-o-matic (btw: it needs all
p-o-m patches from the 'pending' section). I would be interested
in testing, especially with non-linux clients and servers.
Every feedback is appreciated.
> Brian Kuschak
Live long and prosper
- Harald Welte / email@example.com http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)