newnat patch 

From kadlec@blackhole.kfki.hu Mon Sep 17 11:16:59 2001
Date: Tue, 28 Aug 2001 11:42:33 +0200 (CEST)
From: Jozsef Kadlecsik 
To: netfilter-devel@lists.samba.org
Cc: Sampsa Ranta 
Subject: [PATCH] newnat patch

Hello,

This is the newnat patch I had worked on lately and mentioned on the list
previously. I sent the previous version of the patch to the devel list and
Harald, but it was filtered out from the list as an oversized message.
(I hope this can get trough...) Therefore I summarize all the changes
compared to newnat-0.91 from the cvs:

- noop in destroy_conntrack removed: sibling_list is already empty,
  there is no need to try to delete from an empty list
- bugfix in destroy_conntrack: master expectation is removed the second
  time from the global list (it was deleted when the first expected
  packet arrived).
- bugfix in NAT helpers: ip_nat_delete_sack is called too late, when
  the connection is established, while it must delete SACK from the
  very first packet. Thus it is moved from the helpers to do_bindings.
- max number of expectations per helpers implemented: at registering a
  conntrack helper, one must specify the max number of concurrent expected
  connections, which can be served by the helper (0 means no limit).
- the core (i.e ip_conntrack_expect_related) deals with resent packets,
  therefore there is no need for ip_conntrack_alloc_expect anymore.

Changes since the first version of this patch:

- bug in ip_conntrack_change_expect fixed. The function is also simplified
  a lot (couple of unnecessary checkings removed), so the interface is
  much nicer now.
- mangle function to the nat helpers added: there are cases, when a packet
  must be mangled, even when there is no expectation associated with it.
  Examples:
		- H.323
		- talk

  The new function returns true, when the NAT helper function must be
  called regardless wether there is expectation associated with the
  packet.

Still todo: if there are multiple expectations associated with one packet,
the NAT helpers recalculate the checksum multiple times. checksum
calculations should propably be moved from the NAT helpers to do_binding.

Stress-tested with my h323 helper routines, still it may do anything on
your machine :-).
newnat3.patch.bz2