[nf-failover] NAT support for peer-to-peer games
hno at marasystems.com
Sat Sep 25 13:08:51 CEST 2004
On Sat, 25 Sep 2004, Harald Welte wrote:
>> How to implement the scheme described below using netfilter?
> netfilter implements draft-ford-natp2p-00, which should address your
> yes, this is the draft that iptable_nat aims to implement.
On reading this I see some obvious limitations of this approach. The main
limitation is the port NAT capability of Netfilter.. you are not
guaranteed you will get assigned the same port on all connections.
And if the change to randomize the netfilter port assignments is done then
this scheme will break down completely and never succeed in making the
A more up to date devision of this draft seems to be
To sort this out it should be added to this draft that each client
punching holes in NAT gateways MUST use a random source port and if
connection fails retry using a new random port, and that the document is
extended to mention that the common server is not only used as a directory
but also active participant in mediating the connections to allow the
endpoints to syncronize their state correctly when there is need to retry
on a new port etc. In addition the P2P applications must be prepared to
see "unexpected" traffic from uninvited clients and should therefore not
only rely on the port numbers for identifying the client but also include
their own unique identifiacation of the P2P participiant they want to
connect to to allow proper detection of crossed connections.
More information about the netfilter-devel