Re: [FWD: NAT counting]

Luck, Tony (tony.luck@intel.com)
Mon, 10 Feb 2003 14:34:53 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jos Hulzink: "[2.5.60] : drivers/video/clgenfb.c compile error"
Previous message: Martin J. Bligh: "Re: Testing new starfire driver for 2.5"

> Linux is not 'being fixed', because I don't regard this as a bug - and
> only bugs need fixing.
>
> I don't want to have the NAT code to _always_ rewrite the IP ID because
> of performance reasons. I think we should leave the current behaviour
> and provide an _optional_ 'IPID' target for the mangle table. So
> everybody who wants IP ID rewriting can use that target.

The fact that someone can deduce how many hosts are hidden behind
a NAT gateway may, or may not, be a bug ... depending on whether you
think that the NAT is supposed to keep this number a secret. But there
is a real bug here too. Suppose you have two hosts behind your NAT
that both have connections to the same host out in internet-land. And
further suppose that both those hosts have the same value for their
incrementing counter that they use for IPID. And finally suppose that
they both send a fragmented packet to the same port on the same host.

If your NAT router isn't re-writing the IPID, can't the target host get
confused when it sees two fragments that have a source address from your
NAT machine, that have the same IPID ... but really don't belong together?

-Tony Luck

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jos Hulzink: "[2.5.60] : drivers/video/clgenfb.c compile error"
Previous message: Martin J. Bligh: "Re: Testing new starfire driver for 2.5"