On 12/01/2011 01:59 AM, Gao feng wrote: > 于 2011年12月01日 02:53, Patrick McHardy 写道: >> On 11/28/2011 02:12 AM, Gao feng wrote: >>> Hi >>> >>> In func nf_nat_icmp_reply_translation,the icmp packet will be droped when the nat is not finished. >>> pc A(whose gateway is C) send a icmp request to pc B. >>> When gw C receive this packet,it may return a icmp redirect packet to A. >>> BUT now,the icmp request packet has not go to POSTROUTING,So the nat is not finished. >>> Finally,the icmp redirect packet will be droped no matter the conn has nat or not. >>> >>> of course,the icmp redirect packet will be correct handled when nat is finished. >>> >>> Can somebody will give me some suggestion, >>> or should I just add a sysctl to let the user decide drop or receive this icmp redirect packet when nat is not finished? >> It doesn't matter whether the ICMP packet has gone through >> POST_ROUTING, the conntrack associated with the packet is >> that of the original packet causing the ICMP REDIRECT (or >> any other kind of ICMP error). >> >> Basically, we don't want hosts talking directly to each other >> *if* NAT has been set up since that would obviously break >> things. In the case you describe (only destination NAT setup >> completed, but null mapping) instead of dropping the packet, >> we could set up a null source mapping and let the packet >> through under the assumption that the hosts will then start >> communicating directly. >> >> This will break if the host receiving the ICMP REDIRECT ignores >> it though. What is the specific problem you're trying to solve? >> > Thanks Patrick! > > As I said,in my case,the *first* ICMP REDIRECT packet will be dropped even > the system has no nat rules,because this REDIRECT packet is triggered > by the original packet in FORWARD chain(ip_forward),and when this REDIRECT > packet goto POSTROUTING chian(nf_nat_fn->nf_nat_icmp_reply_translation),the > original packet is still in FORWARD chain.So the original packet's conntrack > ONLY has IPS_DST_NAT_DONE. > > I understand your mean,we should not let REDIRECT to take effect when this conntrack > has nat rule. > > I just want to know is there some idea to avoid the first ICMP_REDIRECT packet being dropped Yes, as I said, we could set up a NULL source mapping on the conntrack of the original packet and let the REDIRECT through. The user might have configured a source NAT rule though which would become ineffective by this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
