On Thu, 06 Sep 2007 18:38:06 +0200, Pascal Hambourg
<pascal.mail@xxxxxxxxxxxxxxx> wrote:
> stevesz@xxxxxxxxxxx a écrit :
>>>
>>>I am not sure I understand what the problem is. When the IP address
>>>changes, any existing connections that were using the old IP address are
>
>>>broken. So new connections have to be established using the new IP
>>>address. New P2P connections should be identified and marked again by
>>>ipp2p and CONNMARK, as the old ones were. Or am I missing something ?
>>
>> In my firewall config it is allowed for any packet to go out from my
> local
>> network to the internet even it is not in the conntrack.
>
> Ok. You could change this behaviour by blocking outgoing packets in the
> INVALID state.
>
>> So after my IP
>> has changed and the conntrack table's got flushed, TCP connections
> continue
>> traversing through the firewall
>
> Sorry but I still do no see how this is possible. The remote hosts
> cannot continue previously established TCP connections ("established"
> according to the TCP/IP stack, not Netfilter conntrack) with you if your
> apparent IP address changes. They will continue to send traffic to your
> old IP address and ignore traffic from your new address. A TCP
> connection is defined by the source and destination addresses and ports.
> If any of these 4 elements changes, the connection is broken.
>
>> My plan is to modify the code, so it would replace the old
>> addresses with the new one in the conntrack table keeping the port
>> assignments.
>
> Same remark as above. You cannot change the address of an established
> TCP connection.
Hey, UR absolutely right. I've been thinking too fast. Thanx for correcting
me. But I still don't know why ipp2p does not recognize the resetup. Maybe,
it does not know that 'command'. I think, I'll have to make a capture and
try to isolate the resetup message(s), and the report it to the developer
of
ipp2p.
Thanx again.
Steve
