Re: nat drop the icmp redirect packet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

于 2011年12月01日 02:53, Patrick McHardy 写道:
> On 11/28/2011 02:12 AM, Gao feng wrote:
>> Hi
>>
>> In func nf_nat_icmp_reply_translation,the icmp packet will be droped when the nat is not finished.
>> pc A(whose gateway is C) send a icmp request to pc B.
>> When gw C receive this packet,it may return a icmp redirect packet to A.
>> BUT now,the icmp request packet has not go to POSTROUTING,So the nat is not finished.
>> Finally,the icmp redirect packet will be droped no matter the conn has nat or not.
>>
>> of course,the icmp redirect packet will be correct handled when nat is finished.
>>
>> Can somebody will give me some suggestion,
>> or should I just add a sysctl to let the user decide drop or receive this icmp redirect packet when nat is not finished?
> 
> It doesn't matter whether the ICMP packet has gone through
> POST_ROUTING, the conntrack associated with the packet is
> that of the original packet causing the ICMP REDIRECT (or
> any other kind of ICMP error).
> 
> Basically, we don't want hosts talking directly to each other
> *if* NAT has been set up since that would obviously break
> things. In the case you describe (only destination NAT setup
> completed, but null mapping) instead of dropping the packet,
> we could set up a null source mapping and let the packet
> through under the assumption that the hosts will then start
> communicating directly.
> 
> This will break if the host receiving the ICMP REDIRECT ignores
> it though. What is the specific problem you're trying to solve?
> 

Thanks Patrick!

As I said,in my case,the *first* ICMP REDIRECT packet will be dropped even
the system has no nat rules,because this REDIRECT packet is triggered
by the original packet in FORWARD chain(ip_forward),and when this REDIRECT
packet goto POSTROUTING chian(nf_nat_fn->nf_nat_icmp_reply_translation),the
original packet is still in FORWARD chain.So the original packet's conntrack
ONLY has IPS_DST_NAT_DONE.

I understand your mean,we should not let REDIRECT to take effect when this conntrack
has nat rule.

I just want to know is there some idea to avoid the first ICMP_REDIRECT packet being dropped?

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux