On Thu, 06 Sep 2007 18:38:06 +0200, Pascal Hambourg
<pascal.mail plouf.fr.eu.org> wrote:
> steveszenternet.hu a écrit :
>>>
>>>I am not sure I understand what the problem is.
When the IP address
>>>changes, any existing connections that were
using the old IP address are
>
>>>broken. So new connections have to be
established using the new IP
>>>address. New P2P connections should be
identified and marked again by
>>>ipp2p and CONNMARK, as the old ones were. Or am
I missing something ?
>>
>> In my firewall config it is allowed for any packet
to go out from my
> local
>> network to the internet even it is not in the
conntrack.
>
> Ok. You could change this behaviour by blocking
outgoing packets in the
> INVALID state.
>
>> So after my IP
>> has changed and the conntrack table's got flushed,
TCP connections
> continue
>> traversing through the firewall
>
> Sorry but I still do no see how this is possible. The
remote hosts
> cannot continue previously established TCP connections
("established"
> according to the TCP/IP stack, not Netfilter conntrack)
with you if your
> apparent IP address changes. They will continue to send
traffic to your
> old IP address and ignore traffic from your new
address. A TCP
> connection is defined by the source and destination
addresses and ports.
> If any of these 4 elements changes, the connection is
broken.
>
>> My plan is to modify the code, so it would replace
the old
>> addresses with the new one in the conntrack table
keeping the port
>> assignments.
>
> Same remark as above. You cannot change the address of
an established
> TCP connection.
Hey, UR absolutely right. I've been thinking too fast. Thanx
for correcting
me. But I still don't know why ipp2p does not recognize the
resetup. Maybe,
it does not know that 'command'. I think, I'll have to make
a capture and
try to isolate the resetup message(s), and the report it to
the developer
of
ipp2p.
Thanx again.
Steve
|
