From: "Jannes Faber" <jafaber@zonnet.nl>
To: "Mattias Rönnblom" <hofors@lysator.liu.se>
Cc: netfilter@lists.samba.org
Subject: Re: packets dropped when using MASQ and QUEUE
Date: Fri, 6 Sep 2002 18:37:53 +0200 [thread overview]
Message-ID: <003101c255c3$bf468a10$3303a8c0@p951> (raw)
In-Reply-To: m34rd43dag.fsf@isengard.firemission.org
I experimented again with the scripts I wrote to do this, but it really
doesn't work. If you NF_ACCEPT a packet without altering it, there is no
problem and the masquerading works ok. But as soon as you try to NF_ACCEPT
an altered packet it gets lost.
On the other hand when you send a packet to the box itself (so there is no
NAT), it works perfectly: including the altered packets.
I tried to refind the articles I read about it a few months back, but I
couldn't find them again.
I think what you need is a new target that can alter the packets in
kernel-space for you. Like the TOS target can alter the TOS bits, you need
something like a REPLACE target or maybe even a REGEXP target. There already
exists a string match extension (in patch-o-matic I think) that lets you
search through the packet contents, but as far as I know not something to
alter the packets.
Jannes Faber
From: "Mattias Rönnblom" <hofors@lysator.liu.se>
> "sufcrusher" <sufcrusher@zonnet.nl> writes:
>
> > I've had the exact same problem. I did a google search on this and found
out
> > pretty quickly that this is how it's supposed to be. For a really
technical
> > explanation you might want to do a google search yourself, but it comes
down
> > to the fact that the userspace program can only completely ACCEPT or
> > DENY/REJECT a packet. It can *not* let the packet continue traversing
the
> > chains/tables.
>
> Cannot continue traversing that particular chain (FORWARD, in my case),
> or any chain? My MASQ rules are on the POSTROUTING chain.
>
> And if it's a design flaw i QUEUE, how come it works for some of
> the packets, but not all?
>
> Kind regards,
> Mattias
>
>
next prev parent reply other threads:[~2002-09-06 16:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <m3znv08kup.fsf@isengard.firemission.org>
[not found] ` <008801c25446$89c61820$3303a8c0@p951>
2002-09-05 11:07 ` packets dropped when using MASQ and QUEUE Mattias Rönnblom
2002-09-06 16:37 ` Jannes Faber [this message]
2002-09-08 17:21 ` Mattias Rönnblom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='003101c255c3$bf468a10$3303a8c0@p951' \
--to=jafaber@zonnet.nl \
--cc=hofors@lysator.liu.se \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.