cttproxy-2.4.25-1.9.3 + nat_delete
Hi, this may be a question for KOVACS Krisztian: I have experimented with binding to a foreign source address using cttproxy-2.4.25-1.9.3 and the foreign-tcp-connect program. However I skipped the nat_delete part of the patch as I was not able to apply it. Foreign-tcp-connect actually works perfectly with the peer seeing the spoofed address. However after working, it will consistently fail for several minutes. Then it will work once and the cycle will repeat. I'm guessing this has something to do with the nat_delete patch I skipped. From the mailing list archives:
The nat_delete patch has been adapted to the new TCP window-tracking patch by Jozsef Kadlecsik, so this patch needs the current tcp-window-tracking module from the Netfilter Patch-o-matic NG applied. If you don't want do do that, 04-nat_delete.patch can be skipped safely.
I tried this. The tcp-window-tracking patch seemed to apply to the vanilla 2.4.25 kernel successfully. However the 04-nat_delete.patch still fails to apply (included below) Any chance of a list of the which patches need to be applied to make cttproxy-2.4.25-1.9.3 apply cleanly including 4-nat_delete.patch? Regards, Andrew /usr/src/linux# patch -p1 < ../cttproxy-2.4.25-1.9.3/patch_tree/04-nat_delete.diff patching file net/ipv4/netfilter/ip_conntrack_core.c Hunk #1 FAILED at 357. 1 out of 4 hunks FAILED -- saving rejects to file net/ipv4/netfilter/ip_conntrack_core.c.rej patching file net/ipv4/netfilter/ip_nat_core.c Hunk #2 succeeded at 285 with fuzz 1. patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c patching file net/ipv4/netfilter/ip_conntrack_standalone.c Hunk #1 FAILED at 508. 1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/netfilter/ip_conntrack_standalone.c.rej patching file include/linux/netfilter_ipv4/ip_conntrack.h Hunk #3 FAILED at 263. 1 out of 3 hunks FAILED -- saving rejects to file include/linux/netfilter_ipv4/ip_conntrack.h.rej
Hi, On Tue, 2004-04-27 at 09:22, Andrew Ivins wrote:
I have experimented with binding to a foreign source address using cttproxy-2.4.25-1.9.3 and the foreign-tcp-connect program. However I skipped the nat_delete part of the patch as I was not able to apply it. Foreign-tcp-connect actually works perfectly with the peer seeing the spoofed address. However after working, it will consistently fail for several minutes. Then it will work once and the cycle will repeat. I'm guessing this has something to do with the nat_delete patch I skipped.
Actually, 04-nat_delete is not mandatory at all (although could help in your case). The root of your problems is probably that you set the foreign address and port number to the same constant value all the time, and connect to the same server. In this case, when the first TCP session is closed, you'll have to wait two minutes for the conntrack entry to time out. Instead of using 04-nat_delete to be able to delete leftover conntrack entries of TCP connections currently in TIME_WAIT state, I'd recommend not to use constant values when using tproxy for connecting. If you specify 0 for the foreign port, an unused port number will be automatically allocated by Netfilter, and you won't get NAT clashes. The 04-* patch is needed in such cases when this is not an option, which is very rare.
The nat_delete patch has been adapted to the new TCP window-tracking patch by Jozsef Kadlecsik, so this patch needs the current tcp-window-tracking module from the Netfilter Patch-o-matic NG applied. If you don't want do do that, 04-nat_delete.patch can be skipped safely.
I tried this. The tcp-window-tracking patch seemed to apply to the vanilla 2.4.25 kernel successfully. However the 04-nat_delete.patch still fails to apply (included below)
Any chance of a list of the which patches need to be applied to make cttproxy-2.4.25-1.9.3 apply cleanly including 4-nat_delete.patch?
You're right. Although I wouldn't recommend using that patch, I've created a fixed archive which contains the new 04-nat_delete.diff and replaced the old .tar.gz. The MD5 checksum of the new file is 64eb5a4e72f11fa98d7794ed0bb8ee2a cttproxy-2.4.25-1.9.3.tar.gz -- Regards, Krisztian KOVACS
participants (2)
-
Andrew Ivins
-
KOVACS Krisztian