[nf-failover] NAT support for peer-to-peer games

Henrik Nordstrom hno at marasystems.com
Sat Sep 25 13:08:51 CEST 2004

On Sat, 25 Sep 2004, Harald Welte wrote:

>> How to implement the scheme described below using netfilter?
> netfilter implements draft-ford-natp2p-00, which should address your
> problem.
>> http://www.hasenstein.com/HyperNews/get/linux-ip-nat/97.html
> yes, this is the draft that iptable_nat aims to implement.

On reading this I see some obvious limitations of this approach. The main 
limitation is the port NAT capability of Netfilter.. you are not 
guaranteed you will get assigned the same port on all connections.

And if the change to randomize the netfilter port assignments is done then 
this scheme will break down completely and never succeed in making the 
p2p connections.

A more up to date devision of this draft seems to be 

To sort this out it should be added to this draft that each client 
punching holes in NAT gateways MUST use a random source port and if 
connection fails retry using a new random port, and that the document is 
extended to mention that the common server is not only used as a directory 
but also active participant in mediating the connections to allow the 
endpoints to syncronize their state correctly when there is need to retry 
on a new port etc. In addition the P2P applications must be prepared to 
see "unexpected" traffic from uninvited clients and should therefore not 
only rely on the port numbers for identifying the client but also include 
their own unique identifiacation of the P2P participiant they want to 
connect to to allow proper detection of crossed connections.


More information about the netfilter-devel mailing list