Re: [FWD: NAT counting]

From: Luck, Tony (
Date: Mon Feb 10 2003 - 17:34:53 EST

> Linux is not 'being fixed', because I don't regard this as a bug - and
> only bugs need fixing.
> I don't want to have the NAT code to _always_ rewrite the IP ID because
> of performance reasons. I think we should leave the current behaviour
> and provide an _optional_ 'IPID' target for the mangle table. So
> everybody who wants IP ID rewriting can use that target.

The fact that someone can deduce how many hosts are hidden behind
a NAT gateway may, or may not, be a bug ... depending on whether you
think that the NAT is supposed to keep this number a secret. But there
is a real bug here too. Suppose you have two hosts behind your NAT
that both have connections to the same host out in internet-land. And
further suppose that both those hosts have the same value for their
incrementing counter that they use for IPID. And finally suppose that
they both send a fragmented packet to the same port on the same host.

If your NAT router isn't re-writing the IPID, can't the target host get
confused when it sees two fragments that have a source address from your
NAT machine, that have the same IPID ... but really don't belong together?

-Tony Luck

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Feb 15 2003 - 22:00:30 EST