On 11/04/2005 01:53 PM, Sebastian Böhm wrote: > - sometimes (every 10th connection attempt or so) the connections fails > with "GRE: read(fd=5,buffer=8056720,len=8260) from network failed: > status = -1 error = Protocol > not available" reading in the server logs. I use windows clients with > linux server. somewhere I read that I should load ip_gre on the firewall > or block a specific icmp packet, is that correct ? (I dont like to block > icmp, icmp is there for reason) Please try the attached patch. It has fixed a problem for someone else, and I think this problem may be the same, but I'm not sure. > - I am unable to estabish two pptp connections from one client, I can > connect to one pptp server and I can connect to a second pptp server, > but the second connection never accepts any traffic, when I stop the > first connection, the second connection begins to work. Is this a bug or > a known missing feature ? This is intended to work. I haven't personally tested it in 2.6.14 though.
diff -u -p -u -r1.1.1.1 ip_nat_helper_pptp.c --- linux-2.6.x/net/ipv4/netfilter/ip_nat_helper_pptp.c 28 Oct 2005 04:39:25 -0000 1.1.1.1 +++ linux-2.6.x/net/ipv4/netfilter/ip_nat_helper_pptp.c 3 Nov 2005 09:18:01 -0000 @@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_ struct ip_conntrack_tuple t; struct ip_ct_pptp_master *ct_pptp_info; struct ip_nat_pptp *nat_pptp_info; + struct ip_nat_range range; ct_pptp_info = &master->help.ct_pptp_info; nat_pptp_info = &master->nat.help.nat_pptp_info; @@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_ DEBUGP("not found!\n"); } - ip_nat_follow_master(ct, exp); + /* This must be a fresh one. */ + BUG_ON(ct->status & IPS_NAT_DONE_MASK); + + /* Change src to where master sends to */ + range.flags = IP_NAT_RANGE_MAP_IPS; + range.min_ip = range.max_ip + = ct->master->tuplehash[!exp->dir].tuple.dst.ip; + if (exp->dir == IP_CT_DIR_ORIGINAL) { + range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; + range.min = range.max = exp->saved_proto; + } + /* hook doesn't matter, but it has to do source manip */ + ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING); + + /* For DST manip, map port here to where it's expected. */ + range.flags = IP_NAT_RANGE_MAP_IPS; + range.min_ip = range.max_ip + = ct->master->tuplehash[!exp->dir].tuple.src.ip; + if (exp->dir == IP_CT_DIR_REPLY) { + range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; + range.min = range.max = exp->saved_proto; + } + /* hook doesn't matter, but it has to do destination manip */ + ip_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING); } /* outbound packets == from PNS to PAC */ @@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect /* alter expectation for PNS->PAC direction */ invert_tuplepr(&inv_t, &expect_orig->tuple); - expect_orig->saved_proto.gre.key = htons(nat_pptp_info->pac_call_id); + expect_orig->saved_proto.gre.key = htons(ct_pptp_info->pns_call_id); expect_orig->tuple.src.u.gre.key = htons(nat_pptp_info->pns_call_id); expect_orig->tuple.dst.u.gre.key = htons(ct_pptp_info->pac_call_id); inv_t.src.ip = reply_t->src.ip;