Re: Race: netfilter

From: Xuan Baldauf (xuan--reiserfs@baldauf.org)
Date: Thu Jun 22 2000 - 15:48:58 EST

Next message: Rik van Riel: "Re: test1-ac22-classzone performance"
Previous message: ken moffat: "re: Hang during boot with IDE Zip drive"
In reply to: Rusty Russell: "Re: Race: netfilter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Rusty,

sorry for answering so late... I will not try another kernel until ac23
due to the vm problems. But then I'll try again. My system is a P166 UP.

Another question: Is it possible to access the current NAT entries and
tracked connections? I need this to rewrite some of the entries due to
dynamic IP adresses. (With ISDN, you have a isdn-network device which
looks like an ethernet device to the system. This device has a fake-IP
adress. When packets are going through the device, the dial is triggered,
and some seconds later, the device has the real, dynamic IP address.
Unfortunately, once a SYN is received bei SNAT, it tries to set an entry
in its internal data wich might look as following: "<source-ip>:<port> ->
<dest-ip>:<port>". But because at the time the first SYN is received,
<dest-ip> is my fake IP address. Even after the IP address of the device
changed to the real one, all masqueraded connections from the internal
network are translated to the fake IP address.

One approach to solve this is to unload and reload the module, but this
will not work in all cases. (E.g. where the module is needed even when
being offline.) Another approach would be to either change the entries
manually, or that would be better, tell SNAT to re-evaluate the
<dest-ip>.

What do you think?

Xuân. :o)

Rusty Russell wrote:

> In message <394D5788.EBA85AB7@baldauf.org> you write:
> > while true; echo test1; do modprobe iptable_nat; echo test2; rmmod
> > iptable_nat; rmmod ip_conntrack; rmmod ip_tables; done
> >
> > After some lines, you'll get disconnected when running this from
> > telnet. (It seems that every TCP connection without a flushed buffer
> > will get disconnected.)
>
> Hi Xuan...
>
> I'm running this now (ac21 with a patch) and it seems fine.
> This is the only known race: the patch went in ac22 (Alan was crafty
> enough to snarf it from the ether somehow: I suspect a mole).
>
> If you can duplicate it then: what platform, and are you SMP?
> Rusty.
> --
> Hacking time.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rik van Riel: "Re: test1-ac22-classzone performance"
Previous message: ken moffat: "re: Hang during boot with IDE Zip drive"
In reply to: Rusty Russell: "Re: Race: netfilter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Jun 23 2000 - 21:00:24 EST