Re: [PATCH] nf_nat: restrict ICMP translation for embedded header

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [PATCH] nf_nat: restrict ICMP translation for embedded header
Cc: Julian Anastasov <ja@xxxxxx>, netfilter-devel@xxxxxxxxxxxxxxx, lvs-devel@xxxxxxxxxxxxxxx
From: Simon Horman <horms@xxxxxxxxxxxx>
Date: Thu, 21 Oct 2010 13:27:04 +0200
On Thu, Oct 21, 2010 at 01:15:15PM +0200, Patrick McHardy wrote:
> Am 13.10.2010 21:21, schrieb Patrick McHardy:
> > Am 11.10.2010 10:23, schrieb Julian Anastasov:
> >>
> >>     Skip ICMP translation of embedded protocol header
> >> if NAT bits are not set. Needed for IPVS to see the original
> >> embedded addresses because for IPVS traffic the IPS_SRC_NAT_BIT
> >> and IPS_DST_NAT_BIT bits are not set. It happens when IPVS performs
> >> DNAT for client packets after using nf_conntrack_alter_reply
> >> to expect replies from real server.
> >>
> >> Signed-off-by: Julian Anastasov <ja@xxxxxx>
> >> ---
> >>
> >>     I'm not very familiar with this code, so this change
> >> must not be considered as trivial. May be there was a
> >> reason the embedded header to be translated before the NAT
> >> bits are set?
> > 
> > This seems OK to me, but I need to think about it a bit more,
> > this code is subtle.
> I think this change is fine, it does not apply to the current tree
> anymore however. Could you please send me an updated version
> against the nf-next-2.6.git tree? Thanks!

I can handle this and include it in my next pull request.
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>