[Bug 55] ICMP translation problem with local NAT
bugzilla-daemon@netfilter.org
bugzilla-daemon@netfilter.org
Wed, 26 Feb 2003 19:10:07 +0100
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn| |2
Status|NEW |ASSIGNED
------- Additional Comments From laforge@netfilter.org 2003-02-26 19:10 -------
Hi,
Last week I reported an ICMP translation problem, which occurs if the
connection is initiated by a local process.
I now further investigated the problem, it doesn't occur:
* if the NAT box is a gateway, and the connection is initiated on another
box.
* if the connection is not initiated, but accepted
As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed
at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled
DEBUGP at the top of ip_nat_core.c):
icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4
icmp_reply_translation: translating error c396f260 hook 0 dir REPLY, num_manips=2
icmp_reply: manip 0 dir ORIG hook 4
icmp_reply: manip 1 dir REPLY hook 0
icmp_reply: outer DST -> 192.168.131.124
As it seems the inner manip is not called, as it is registered to hook 4
(POST_ROUTING, ORIG)
As POST_ROUTING will never be called in ORIG-inal direction for this packet,
the inner packet is never translated.
I see two ways of fixing the issue:
* fix icmp_reply_translation() to perform all of its translation at the same
time (both the inner and the outer header)
* register a NAT hook at LOCAL_IN, and perform translation of packets
registered at (POST_ROUTING, ORIG)
The first option seems to be doable, the second is a big change, though
seems to be cleaner.
Opinions?
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.