Hi, I'm trying to conntrack/nat a udp-based protocol with a server listening on port x. My problem is, that the conntrack-helper sees all incoming and outgoing packets of the control connection, while the nat-helper is only called for outgoing packets. Due to the nature of the protocol I need IP_NAT_HELPER_F_ALWAYS to mangle the contents of both outgoing and incoming packets (even when there are no expected connections). The scenario is the following: PC1 -> MASQ -> server The conntrack module gets a packet from PC1 (src port x, dst port x) and parses the protocol. The nat_module mangles the packet content and the packet is send of to the server with the source address of MASQ (src port x, dst port x). The conntrack_module receives a packet from Server (src port: high, dst port x) and parses the protocol. The nat_module isn't called. I reqister my modules with the following tuples: nat_module: hlpr->tuple.dst.protonum = IPPROTO_UDP; hlpr->tuple.src.u.udp.port = port x; hlpr->mask.src.u.udp.port = 0xFFFF; hlpr->mask.dst.protonum = 0xFFFF; hlpr->flags = IP_NAT_HELPER_F_ALWAYS; conntrack_module: hlpr->tuple.src.u.udp.port = port x; hlpr->tuple.dst.protonum = IPPROTO_UDP; hlpr->mask.src.u.udp.port = 0xFFFF; hlpr->mask.dst.protonum = 0xFFFF; /proc/net/ip_conntrack lists both connections (answer&reply) as unreplied. Can someone explain to me why the reply is seen as a new connection ? regards Nikolai Dahlem
