lwip_nat
lwip_nat copied to clipboard
ajaybhargav
ICMP DNAT not work
It seems that iphdr->dest.addr = nat_entry.cmn->source.addr; failed to get valid ip address since IPNAT_ENTRY_RESET(nat_entry.cmn); already reset it, so err = in_if->output(in_if, q, (ip_addr_t *)&(iphdr->dest)); will generate a broadcast.
IPNAT_ENTRY_RESET only sets the TTL value to 0 does not touch anything else. Are you facing any issue or is it just a doubt?
Emm, it's my mistake.
My version of IPNAT_ENTRY_RESET is:
#define IPNAT_ENTRY_RESET(x) do { \
ip_addr_set_any(&(x)->src); \
ip_addr_set_any(&(x)->dest); \
(x)->ttl = 0; \
} while(0)
This NAT imp not tracing TCP state, and always use same port for mapping(LWIP_NAT_DEFAULT_STATE_TABLES_TCP + LWIP_NAT_DEFAULT_TCP_SOURCE_PORT).
I'm try to prevent new connection be mixed up with that already shutdown but still have ttl != 0 by ip4_nat_tcp_lookup_incoming with modify IPNAT_ENTRY_RESET which cause this.
This NAT imp not tracing TCP state, and always use same port for mapping
Agree... Can you share your improvements so I can merge them in the source?
These code is in company's repo and I can't copy them out.
But my solution is simpily add a state machine similar to TCP/IP ILLustrated Volume 1: The Protocols Figure 18-12(Client side).
static
void ip4_nat_state_tracer_step (ip4_nat_entry_tcp_t *entry,
const struct tcp_hdr *tcphdr,
enum nat_state_trace_dir dir)
And call this in ip4_nat_udp_lookup_incoming and ip4_nat_udp_lookup_outgoing.
Finally, if a TCP connection is switching to TIME_WAIT, do this:
sys_timeout(1000, ip4_nat_purge_closed_tcp, (void *)nat_entry);
static
void ip4_nat_purge_closed_tcp (ip4_nat_entries_tcp_t *nat_entry)
{
IPNAT_ENTRY_RESET(&nat_entry->cmn);
}
These code is in company's repo and I can't copy them out.
Aww sad. Its GPL though, Maybe your boss is ready to share it to make this world a happy place 😄 Anyways... Thanks for the pointers.