ipnatctl

[Rusty Russell]

In message <39538C6F.1693FFFD@baldauf.org> you write:
> 
> Rusty Russell wrote:
> > The other option is to use MASQUERADE, but change line 130 of
> > ipt_MASQUERADE.c from:
> >
> >         if (event == NETDEV_DOWN) {
> >
> > to
> >
> >         if (event == NETDEV_DOWN || event == NETDEV_CHANGEADDR) {
> >
> > which make sense...
> 
> Oh, this is a very good idea. :o) Maybe you can make it the default in the
> future.

It will be.

> What I initially aimed to implement is the feature which Win98 boxes have:
> If you (or you programs) want to access the internet, you are prompted for
> connecting, and if you say "OK", no packet seems to get lost.
> 
> With linux+isdn, you loose all packets until the IP address is set. With
> your patch above, even more packets would be lost (because they have wrong
> srcIP addresses). My initial idea was: do not ever loose a packet, just
> queue them until the interface has its real IP address.

Then you need to rewrite them.  This is actually quite possible: we
can queue packets to userspace (adding a -j QUEUE rule to the top of
the NAT PREROUTING and OUTPUT tables, for example), and modify diald
to pick up packets from there.  When diald has established the
connection and changed the if addr, it removes the QUEUE rules and
lets them go, and NAT code does its magic like normal...

(This won't work right at the moment for local packets, since the MASQ
code has a workaround for local packets, which I need to
reinvestigate, but the concept is correct).

This actually means that diald doesn't need to do any filtering: that
can all be done in the kernel, meaning that diald just does:

	Insert queue rules
	Wait for packet
	Establish connection
	Delete queue rules
	Release packet.

diald-tng anyone?
Rusty.
--
Hacking time.