Re: addendum to ICMP translation problem [PATCH]

Mon, 27 May 2002 03:39:53 -0700 

On Mon, May 27, 2002 at 12:32:32PM +0200, Balazs Scheidler wrote:
> As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed
> at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled
> DEBUGP at the top of ip_nat_core.c):
> 
> icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4
> icmp_reply_translation: translating error c396f260 hook 0 dir REPLY, num_manips=2
> icmp_reply: manip 0 dir ORIG hook 4
> icmp_reply: manip 1 dir REPLY hook 0
> icmp_reply: outer DST -> 192.168.131.124
> 
> As it seems the inner manip is not called, as it is registered to hook 4
> (POST_ROUTING, ORIG)
> 
> As POST_ROUTING will never be called in ORIG-inal direction for this packet,
> the inner packet is never translated. 

I was wrong here. The same manip is applied at different hooks (once at
PRE_ROUTING and once at  POST_ROUTING)

> I see two ways of fixing the issue:
> * fix icmp_reply_translation() to perform all of its translation at the same
>   time (both the inner and the outer header)
> * register a NAT hook at LOCAL_IN, and perform translation of packets
>   registered at (POST_ROUTING, ORIG)
> 
> The first option seems to be doable, the second is a big change, though
> seems to be cleaner.

I implemented option #1, and the patch is below. However I'm not 100% sure
that I'm free to translate the inner packet at PREROUTING time. (it must
have had some reasons that it was performed at POST_ROUTING time)

Functionality wise the patch seems to work all-right.

--- ip_nat_core.c.old   Mon May 27 04:53:09 2002
+++ ip_nat_core.c       Mon May 27 05:00:23 2002
@@ -843,7 +843,7 @@
                   packet, except it was never src/dst reversed, so
                   where we would normally apply a dst manip, we apply
                   a src, and vice versa. */
-               if (info->manips[i].hooknum == opposite_hook[hooknum]) {
+               if (info->manips[i].hooknum == hooknum) {
                        DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
                               info->manips[i].maniptype == IP_NAT_MANIP_SRC
                               ? "DST" : "SRC",
@@ -854,9 +854,9 @@
                                  &info->manips[i].manip,
                                  !info->manips[i].maniptype,
                                  &skb->nfcache);
-               /* Outer packet needs to have IP header NATed like
-                   it's a reply. */
-               } else if (info->manips[i].hooknum == hooknum) {
+                       /* Outer packet needs to have IP header NATed like
+                          it's a reply. */
+
                        /* Use mapping to map outer packet: 0 give no
                            per-proto mapping */
                        DEBUGP("icmp_reply: outer %s -> %u.%u.%u.%u\n",


-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Reply via email to