More generic NAT and TCP

[4t0m1k]

Hello and thank you for this awesome extension!

Why do not make this extension more generic, for example naming it "TNAT" (for Typed NAT) and with this syntax:

iptables -t nat -A POSTROUTING -o eth0 -j TNAT --type [ full | port_restricted | address_restricted | symmetric ]
iptables -t nat -A PREROUTING -i eth0 -j TNAT (not needed to repeat type param as it is saved in context)

So, for full cone nat, you just have to do:

iptables -t nat -A POSTROUTING -o eth0 -j TNAT --type full
iptables -t nat -A PREROUTING -i eth0 -j TNAT

you do not have to change the mapping structure, only to check by ext port, then check the type and reject the packet in the hook if:

• prerouting source port different from postrouting dest port && type == port_restricted || symmetric
• prerouting source addr different from postrouting dest addr && type == addr_restricted || symmetric

What do you think about this?

Another question : When do you think TCP full cone NAT will be available? How much work to do?

Thank you!

[Chion82]

Hi, thanks for your advices.

Extending this module to support various NAT types and TCP sounds great and actually it's part of my plan. Maybe I will create a new module in another repository to do that in the future.

For now let's just focus on this particular extension module. As you can see there are still many potential issues for this module whose implementation is actually a dirty hack. When this module becomes more stable and well tested, we will start working on the TNAT stuff.

[4t0m1k]

Thanks for your response !

You're right there will be another time for that. Keep up the good work !