mangle after nat in the postrouting chain

mangle after nat in the postrouting chain

[Akos Szalkai]

Hello,

is there any kind of patch (or even consideration to create one) for
packet mangling in the POSTROUTING chain after NAT?  (At least as far as
I see, right now it's mangle first, then NAT.)  I can also see the
advantages of mangle before NAT, so perhaps the ideal solution would be
mangling twice on the POSTROUTING chain, if it is possible.

The situation where I would find mangling after NAT very handy is the
following.  I have two independent internet connections, and a few NAT
rules which eventually decide the source address of the outgoing packet.
And only now, knowing the source address is it possible to route the
packet correctly.  Since we are way after routing here, only mangle
could help.

Please correct me if I am not understanding things correctly.

Akos

-- 
Akos Szalkai <szalkai@2f.hu>
IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/

RE: mangle after nat in the postrouting chain

[Daniel Chemko]

You are off basis. The System already routes twice.

The problem is that it SNAT's after you've already routed the packet.
You will have to mark the packet in the PREROUTING chain then setup
iproute2 rules that describe what to do with it.

I've had many bad experiences with getting iproute2 working under
'complex' configurations, so it is up to you in getting it to work the
way you'd like. There is also the ROUTE patch, but it doesn't do what I
want it to do (change the packet's route!!).


-----Original Message-----
From: Akos Szalkai [mailto:szalkai@2fkft.com] 
Sent: Friday, November 28, 2003 9:34 AM
To: netfilter@lists.netfilter.org
Subject: mangle after nat in the postrouting chain

Hello,

is there any kind of patch (or even consideration to create one) for
packet mangling in the POSTROUTING chain after NAT?  (At least as far as
I see, right now it's mangle first, then NAT.)  I can also see the
advantages of mangle before NAT, so perhaps the ideal solution would be
mangling twice on the POSTROUTING chain, if it is possible.

The situation where I would find mangling after NAT very handy is the
following.  I have two independent internet connections, and a few NAT
rules which eventually decide the source address of the outgoing packet.
And only now, knowing the source address is it possible to route the
packet correctly.  Since we are way after routing here, only mangle
could help.

Please correct me if I am not understanding things correctly.

Akos

-- 
Akos Szalkai <szalkai@2f.hu>
IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/

Re: mangle after nat in the postrouting chain

[Jeffrey Laramie]

On Friday 28 November 2003 12:33, Akos Szalkai wrote:
> Hello,
>
> is there any kind of patch (or even consideration to create one) for
> packet mangling in the POSTROUTING chain after NAT?  (At least as far as
> I see, right now it's mangle first, then NAT.)  I can also see the
> advantages of mangle before NAT, so perhaps the ideal solution would be
> mangling twice on the POSTROUTING chain, if it is possible.
>
> The situation where I would find mangling after NAT very handy is the
> following.  I have two independent internet connections, and a few NAT
> rules which eventually decide the source address of the outgoing packet.
> And only now, knowing the source address is it possible to route the
> packet correctly.  Since we are way after routing here, only mangle
> could help.

So you want to mangle the packet based on which interface it gets SNATed to in 
POSTROUTING? Could you post the nat and mangle rules you're using or would 
like to use?

Jeff

Re: mangle after nat in the postrouting chain

[Akos Szalkai]

On Fri, Nov 28, 2003 at 09:50:46AM -0800, Daniel Chemko wrote:
> You are off basis. The System already routes twice.

Yes, I know that.  This is not my problem.

> The problem is that it SNAT's after you've already routed the packet.

This is much closer to my problem, see below.

>                 There is also the ROUTE patch, but it doesn't do what I
> want it to do (change the packet's route!!).

Yes, I am heavily using the ROUTE patch.  It does change the packet's
route.  I don't think you can live without it in a multiple independent
internet link environment.  Still, ROUTE targets are in the mangle
table, so still, it is SNAT-ed after you reroute the packets with a
ROUTE rule.

I can get around this by making a more complex rulebase, but it would be
much neater if I could mangle packets after NATing.  (The iproute2
solution you mentioned is also a possibility, but it has the drawback
that you have to use something else besides netfilter.  The ROUTE patch
is very similar but IMHO more manageable.)

Akos

-- 
Akos Szalkai <szalkai@2f.hu>
IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/