this series fixes SNAT/DNAT rules where port number translation is
explicitly configured, but only the L3 address is translated:
# iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source 10.0.0.1:61000
# tcpdump -s46 -tni eth1 sctp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 46 bytes
IP 10.0.0.1.37788 > 10.0.0.2.2000: sctp
^^^^^
IP 10.0.0.2.2000 > 10.0.0.1.37788: sctp
IP 10.0.0.1.37788 > 10.0.0.2.2000: sctp
IP 10.0.0.2.2000 > 10.0.0.1.37788: sctp
IP 10.0.0.2.2000 > 10.0.0.1.37788: sctp
IP 10.0.0.1.37788 > 10.0.0.2.2000: sctp
IP 10.0.0.2.2000 > 10.0.0.1.37788: sctp
This happens for all protocols that don't have L4 NAT support built into
nf_nat.ko, such as DCCP, SCTP and UDPLite: unless the user modprobes
nf_nat_proto_{dccp,sctp,udplite}.ko, port translation as specified in the
above rule will not be done.
The first patch provides persistent and generic aliases for the above
modules; the second patch autoloads nf_nat_proto_{dccp,sctp,udplite} when a
SNAT/DNAT rule matching one of the above protocols is created.
Davide Caratti (2):
netfilter: persistent aliases for l4 nat protocols
xt_nat: probe module for non-builtin L4 protocols
include/net/netfilter/nf_nat_l4proto.h | 3 +++
net/netfilter/nf_nat_proto_dccp.c | 1 +
net/netfilter/nf_nat_proto_sctp.c | 1 +
net/netfilter/nf_nat_proto_udplite.c | 1 +
net/netfilter/xt_nat.c | 47 ++++++++++++++++++++++++++++++++++
5 files changed, 53 insertions(+)
--
2.5.5
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
