IPfilter NAT and stalled TCP connexions

To: tech-net%netbsd.org@localhost
Subject: IPfilter NAT and stalled TCP connexions
From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Date: Fri, 26 Mar 2010 11:57:01 +0000

Hello

I use IPFilter on a gateway, to perform 1:1 NAT mapping, and I have
an annoying problem with stalled TCP connexions.

As I understand, the default lifetime of a TCP mapping in the NAT table
is one minute. After one minute of inactivity for the TCP connexion, the
mapping vanishes. If the client sends data, the mapping is reinstantiated
and the TCP connexion resumes normally.

But if the servers sends data on a TCP connexion that has no NAT mapping
at the moment, the data will not get through. When later the client will
send data and reinstantiate the mapping, it has a hard time restoring
the TCP connexion to a usable state. It can remain hang for several
seconds, or just be disconnected.

Question: how can that be fixed? I canincrease the mapping lifetime,
but I suspect I will run into ressource shortage.

-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost

Follow-Ups:
- Re: IPfilter NAT and stalled TCP connexions
  - From: Emmanuel Dreyfus
- Re: IPfilter NAT and stalled TCP connexions
  - From: der Mouse
- Re: IPfilter NAT and stalled TCP connexions
  - From: Greg Troxel

Prev by Date: Re: packet-classifier Summer of Code RFQ
Next by Date: Re: IPfilter NAT and stalled TCP connexions
Previous by Thread: packet-classifier Summer of Code RFQ
Next by Thread: Re: IPfilter NAT and stalled TCP connexions
Indexes:

Home | Main Index | Thread Index | Old Index