netfilter buglog - Feb 2003 - [Bug 55] ICMP translation problem with local NAT

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55

laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  BugsThisDependsOn|                            |2
             Status|NEW                         |ASSIGNED



------- Additional Comments From laforge@netfilter.org  2003-02-26 19:10 -------
Hi,

Last week I reported an ICMP translation problem, which occurs if the
connection is initiated by a local process.

I now further investigated the problem, it doesn't occur:
* if the NAT box is a gateway, and the connection is initiated on another
  box.
* if the connection is not initiated, but accepted

As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed
at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled
DEBUGP at the top of ip_nat_core.c):

icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4
icmp_reply_translation: translating error c396f260 hook 0 dir REPLY,
num_manips=2
icmp_reply: manip 0 dir ORIG hook 4
icmp_reply: manip 1 dir REPLY hook 0
icmp_reply: outer DST -> 192.168.131.124

As it seems the inner manip is not called, as it is registered to hook 4
(POST_ROUTING, ORIG)

As POST_ROUTING will never be called in ORIG-inal direction for this packet,
the inner packet is never translated. 

I see two ways of fixing the issue:
* fix icmp_reply_translation() to perform all of its translation at the same
  time (both the inner and the outer header)
* register a NAT hook at LOCAL_IN, and perform translation of packets
  registered at (POST_ROUTING, ORIG)

The first option seems to be doable, the second is a big change, though
seems to be cleaner.

Opinions?

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1







------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55

This bug depends on bug 2, which changed state:

           What    |Old Value                   |New Value
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From laforge@netfilter.org  2003-02-26 19:12 -------
Created an attachment (id=7)
patch by bazsi




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=55

laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From laforge@netfilter.org  2003-02-26 19:13 -------
fixed with the proposed patch



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.