UDP, TCP, and NAT (was...)

Thomas Charron twaffle at gmail.com
Fri Jul 13 18:14:36 EDT 2007 

On 7/13/07, Ben Scott <dragonhawk at gmail.com> wrote:
> On 7/12/07, Ben Scott <dragonhawk at gmail.com> wrote:
> >   Every dynamic NAT implementation I've ever used, ever, did this.
> > Heck, Linux 2.0 could do it, so long as you didn't want a firewall,
> > too.  Can you find me any dynamic NAT implementation which *doesn't*
> > handle UDP?
>   Bit of clarification on my terminology here: I'm specifically
> talking about dynamic one-to-many translation of both addresses and
> port numbers.  Some call this "NAPT" (Network Address/Port
> Translation).

  I know that's the case, however, PAT can often cause UDP based
protocols to break, as opposed to TCP protocols, where doing PAT is
much easier.  But your right, I suppose I presented it as 'This
sux0rs!' as opposed to 'It will rarely, however, not work depending on
the protocol'.

>   Any kind of one-to-one translation of addresses (either static or
> dynamic), will, of course, support UDP and almost everything else.
> The only things that break down are application protocols which derive
> return IP addresses from the payload.

  Yes, one to one maps can for the most part always work, because the
external interface is one to one mapped directly.

> >>   By your own statement, explain then why NAT routers need to do
> >> 'funny things' with very basic UDP based services, like DNS.
> >   They don't.  I have never had to do application-layer inspection
> > with DNS.  Nor NTP.  Fire up WireShark and look at the packets if you
> > don't believe me.
> ... and correlate what you see with WireShark to what the Linux
> NetFilter source does.  Find me any code that does anything beyond
> port number rewriting just to make DNS work, and I'll gladly eat crow
> (provided you provide sanitary, cooked crow meat for me to eat).

  You are correct, Linux NetFilter *does* operate in the case of DNS
as you say.  But others do not, and will actually maintain state
information based on the serial number of the DNS request contained
inside the UDP packet.

-- 
-- Thomas

More information about the gnhlug-discuss mailing list