Just to close the thread I let you know the following.
About
I am fully aware of the situation, but an NSIS signaling session relates to an uni-directional flow. That means: just one direction. So to install FW rules for both directions you will need two NSIS signaling session.
Yes you are right. I am sorry for all the comments out of place in some messages in this thread.
Anyway, perhaps if I let you know the following you will understand my situation and maybe I can help indirectly by presenting a case that is not very clear in the specifications. The questions are not directed to you, these are what I am asking to myself; but anyway, if you have some comments, these are welcome.
Below when I mention NF I try to cover a chain of several NF with FW, but actually my implementation is considering the following scenario (only one NF with FW)
NI<--------->NF(FW)
We are using the proxy mode that consist of a NI and several NF (no NR at the end of the path). In particular, only one NF in our case.
NI---------NF---------NF---------NF---------NF
As far as I understand, since there is not NR at the end of the path (and therefore this NR can not become NI+), the last NF in the path becomes a NI+ that will create a session in the opposite direction.
NI<---------------NF [NI+]
When the last NF (now NI+) creates a session in the opposite direction; should it start by creating a session into itself? In other words, if the last NF (working as NI+) does not open his own FW (by sending a create to itself), then no traffic will be able to go through the FW in the last NF.
In our case we have only one NF, and it is the last NSIS node in the path. Then I think that it must create a session into itself and open the FW in the inverse direction.
NI<---------------NF [NI+] ----\ ^ | | | CREATE ------------/
My implementation needs to open the FW in the inverse direction at the same time that I open the FW for the forward direction. As far as I understand it should be done as mentioned above, i.e. using a NSIS CREATE (a packet with a create) sent from the NI+ to the NF (to itself in this case).
Sergio
nsis_imp@informatik.uni-goettingen.de