conntrack
Francis Dupont
fdupont at isc.org
Wed Feb 22 16:48:39 UTC 2012
I've investigated about the conntrack tools (the usermode interface
to the connection tracking in the Linux kernel). They give access
to the NAT bindings so can be used:
- to monitor the NAT activity (used and free ports for instance)
- to delete stale NAT bindings (for instance using ports no longer
available after a reconfig)
- to create NAT bindings (cf PEER)
I suggest to reuse the code of conntrackd to add a module in miniupnpd
(the version with PCP support).
Regards
Francis Dupont <fdupont at isc.org>
PS: an example of the monitoring on a NAT:
# conntrack -E -d 91.121.26.85
[NEW] icmp 1 30 src=10.0.1.2 dst=91.121.26.85 type=8 code=0 id=2382 [UNREPLIED] src=91.121.26.85 dst=192.168.0.46 type=0 code=0 id=2382
[UPDATE] icmp 1 30 src=10.0.1.2 dst=91.121.26.85 type=8 code=0 id=2382 src=91.121.26.85 dst=192.168.0.46 type=0 code=0 id=2382
[DESTROY] icmp 1 src=10.0.1.2 dst=91.121.26.85 type=8 code=0 id=2382 src=91.121.26.85 dst=192.168.0.46 type=0 code=0 id=2382
source = 10.0.1.2
NAT external address = 192.168.0.46
destination = 91.121.26.85
I run ping on the source box, the first echo request created the entry
(NEW), the echo reply confirmed it (UPDATE), I killed it so the entry
was garbaged collected on timeout (DESTROY).
More information about the sdcpe-devel
mailing list