Hmm. For TCP masquerading, how about using TCP "keepalives" (to the
masqueraded host) to check if the connections are still there? I.e.
after say each expire_time/3, if no traffic, mark the masqueraded
connection as being checked, and send a simple TCP ack to the
"internal" host; and let a single pure ack reset the counter, and the
"checking" state, without forwarding the ack.
This could solve the ftp command channel expiration problem in a less
hacky way, and provide a way for working long-living connections with
few data. Maybe then there would be no need to hand-tune the timeout
in many cases. (And it could be small enough to provide advantage in
the common case of a fast LAN where the TCP keepalive probes should be
more bearable.)
This helps nothing for UDP, agreed. But, for DNS, I'd use transparent
redirect to a small named helper (only needed if the clients' resolver
checks the source of the reply packet).
-- Janos - Don't worry, my address is real. I'm just bored of spam.