Thanks for the tip :) I hadn't seen your answe in the other mailing list. My original question in this mailing list is: Can you tell me where can I find in the source code the function or functions responsible for checking the matching table of active connections present in the file ip_conntrack. Hugo Mendes ________________________________________ De: Jozsef Kadlecsik [kadlec@xxxxxxxxxxxxxxxxx] Enviado: terça-feira, 7 de Abril de 2009 19:32 Para: Jan Engelhardt Cc: Hugo Miguel Mendes; netfilter-devel@xxxxxxxxxxxxxxx Assunto: RE: full_cone_nat On Tue, 7 Apr 2009, Jan Engelhardt wrote: > > On Tuesday 2009-04-07 20:16, Jozsef Kadlecsik wrote: > >On Tue, 7 Apr 2009, Hugo Miguel Mendes wrote: > > > >> What I mean with Full Cone NAT is the following: > >>[...] > > > >I answered you on Thu, 2 Apr 2009 when you asked the same question on > >the netfilter mailing list. The answer hasn't changed since then: > >currently there's no way to create full cone NAT. > > > >It might be possible to write a new full cone NAT target by creating > >wildcard expectations. > > Yeah there is a case where cone nat does not quite work. Assuming there > are the following mappings: > > origsrc=192.168.17.2 origdst=80.10.20.30 replsrc=134.98.76.54 repldst=80.10.20.30 > origsrc=192.168.17.3 origdst=80.20.30.40 replsrc=134.98.76.54 repldst=80.20.30.40 > > Then there is no way to ambiguously map incoming IP_CT_NEW connections > for 134.98.76.54 to an origsrc. Yes, full cone NAT can easily break connections or at least is should reject the second, overlapping connection for the joy of the user. But if someone insists and want to shoot himself in the foot, then by creating expectations it might be create full cone NAT. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
