Hi, Last week I reported an ICMP translation problem, which occurs if the connection is initiated by a local process.
I now further investigated the problem, it doesn't occur: * if the NAT box is a gateway, and the connection is initiated on another box. * if the connection is not initiated, but accepted As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled DEBUGP at the top of ip_nat_core.c): icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4 icmp_reply_translation: translating error c396f260 hook 0 dir REPLY, num_manips=2 icmp_reply: manip 0 dir ORIG hook 4 icmp_reply: manip 1 dir REPLY hook 0 icmp_reply: outer DST -> 192.168.131.124 As it seems the inner manip is not called, as it is registered to hook 4 (POST_ROUTING, ORIG) As POST_ROUTING will never be called in ORIG-inal direction for this packet, the inner packet is never translated. I see two ways of fixing the issue: * fix icmp_reply_translation() to perform all of its translation at the same time (both the inner and the outer header) * register a NAT hook at LOCAL_IN, and perform translation of packets registered at (POST_ROUTING, ORIG) The first option seems to be doable, the second is a big change, though seems to be cleaner. Opinions? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1