[OpenAFS] AFS over NAT
Tino Schwarze
tino.schwarze@informatik.tu-chemnitz.de
Wed, 7 Aug 2002 10:20:31 +0200
On Tue, Aug 06, 2002 at 09:32:50PM -0400, Ray Link wrote:
> > Second, you still have the timeout issue.
>
> Easy enough to fix with any sane NAT box. My ipchains/ipmasq box does
> this with a single command. If your Linux NAT box is running ipchains,
> the following will work for you:
>
> /sbin/ipchains -M -S <TCP> <post-FIN TCP> <UDP>
>
> Where the items between the < > are timeouts, in seconds, for TCP
> sessions, TCP sessions after a "FIN" packet is received, and UDP
> sessions. I believe something around 10 minutes is recommended for
> the UDP timeouts, so as to not break the AFS callbacks. If you're not
> using ipchains, I'm sure iptables has similar functionality.
The UDP timeout needs to be more than 10 minutes. Unfortunately,
iptables does _not_ support altering masq timeouts. This also affects
the ipchains compatibility code since that is not a real ipchains
implementation but uses iptables infrastructure.
The timeout can be altered by looking for "#define UDP.*TIMEOUT" in the
appropiate kernel source directory and setting the value higher (default
is three minutes IIRC).
Bye, Tino.
--
* LINUX - Where do you want to be tomorrow? *
http://www.tu-chemnitz.de/linux/tag/