From: Harald Welte <laforge@netfilter.org>
To: Nikolai Dahlem <Nikolai.Dahlem@epygi.de>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: NAT problem with related connections
Date: Mon, 3 Nov 2003 16:39:42 +0100 [thread overview]
Message-ID: <20031103153941.GF5081@sunbeam.de.gnumonks.org> (raw)
In-Reply-To: <DAELKAPIKOFAFFKELNHOGEAICAAA.Nikolai.Dahlem@epygi.de>
[-- Attachment #1: Type: text/plain, Size: 2225 bytes --]
On Mon, Nov 03, 2003 at 01:28:29PM +0100, Nikolai Dahlem wrote:
> -----Original Message-----
> From: Harald Welte [mailto:laforge@netfilter.org]
> Sent: Montag, 3. November 2003 12:08
> To: Nikolai Dahlem
> Cc: Netfilter Development Mailinglist
> Subject: Re: NAT problem with related connections
>
> On Mon, Nov 03, 2003 at 11:15:40AM +0100, Nikolai Dahlem wrote:
> >> we talked about the implementation of a conntrack-module for SIP @
> linuxtag,
> >> maybe you remember ...
>
> >yes, I do remember the company/domain name 'epygi', but I didn't
> >remember your name.
> I'm the inconspicuous student ;-)
>
> >I have to be honest that I didn't read the code thoroughly. But
> >according to a quick guess, what you are lacking is a call to
> >ip_conntrack_change_expect() from the nat helper. The NAT helper has to
> >alter the expectation raised by conntrack...
> >See the ftp/irc helpers as an example.
>
> do I have to change the expectation, if I inserted a complete tuple in
> conntrack ?
a conntrack helper should just insert the tuple provided by the protocol
payload (SIP/sdp). The nat helper then changes the protocol payload
(i.e. the IP address / port number) inside the master connection, and
has to alter the expectation accordingly.
> SIP provides all the information, so I thought why not fill the complete
> tuple or is this completely wrong ?
take the example of FTP (more common, and I already forgot most SIP
relevant stuff):
client: 1.2.3.4, firewall: 10.20.30.40, ftp-server: 9.9.9.9
packet received: client -> server PORT 1,2,3,4,5,6
- conntrack helper raises expectation 9.9.9.9:any->1.2.3.4:(5<<16 & 6)
- nat helper alters packet payload to PORT 10,20,30,40,5,6
- nat helper alters expectation to 9.9.9.9:any->10.20.30.40:(5<<16 & 6)
> kind regards
> Nikolai Dahlem
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2003-11-03 15:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-30 10:31 NAT problem with related connections Nikolai Dahlem
2003-11-03 7:48 ` Harald Welte
[not found] ` <DAELKAPIKOFAFFKELNHOCEAICAAA.Nikolai.Dahlem@epygi.de>
2003-11-03 11:08 ` Harald Welte
[not found] ` <DAELKAPIKOFAFFKELNHOGEAICAAA.Nikolai.Dahlem@epygi.de>
2003-11-03 15:39 ` Harald Welte [this message]
2003-11-04 13:41 ` Nikolai Dahlem
2003-11-04 15:44 ` Harald Welte
2003-11-03 11:12 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031103153941.GF5081@sunbeam.de.gnumonks.org \
--to=laforge@netfilter.org \
--cc=Nikolai.Dahlem@epygi.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.