All of lore.kernel.org
 help / color / mirror / Atom feed
* mangle after nat in the postrouting chain
@ 2003-11-28 17:33 Akos Szalkai
  2003-11-28 17:55 ` Jeffrey Laramie
  0 siblings, 1 reply; 4+ messages in thread
From: Akos Szalkai @ 2003-11-28 17:33 UTC (permalink / raw)
  To: netfilter

Hello,

is there any kind of patch (or even consideration to create one) for
packet mangling in the POSTROUTING chain after NAT?  (At least as far as
I see, right now it's mangle first, then NAT.)  I can also see the
advantages of mangle before NAT, so perhaps the ideal solution would be
mangling twice on the POSTROUTING chain, if it is possible.

The situation where I would find mangling after NAT very handy is the
following.  I have two independent internet connections, and a few NAT
rules which eventually decide the source address of the outgoing packet.
And only now, knowing the source address is it possible to route the
packet correctly.  Since we are way after routing here, only mangle
could help.

Please correct me if I am not understanding things correctly.

Akos

-- 
Akos Szalkai <szalkai@2f.hu>
IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/


^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: mangle after nat in the postrouting chain
@ 2003-11-28 17:50 Daniel Chemko
  2003-11-28 18:13 ` Akos Szalkai
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel Chemko @ 2003-11-28 17:50 UTC (permalink / raw)
  To: Akos Szalkai, netfilter

You are off basis. The System already routes twice.

The problem is that it SNAT's after you've already routed the packet.
You will have to mark the packet in the PREROUTING chain then setup
iproute2 rules that describe what to do with it.

I've had many bad experiences with getting iproute2 working under
'complex' configurations, so it is up to you in getting it to work the
way you'd like. There is also the ROUTE patch, but it doesn't do what I
want it to do (change the packet's route!!).


-----Original Message-----
From: Akos Szalkai [mailto:szalkai@2fkft.com] 
Sent: Friday, November 28, 2003 9:34 AM
To: netfilter@lists.netfilter.org
Subject: mangle after nat in the postrouting chain

Hello,

is there any kind of patch (or even consideration to create one) for
packet mangling in the POSTROUTING chain after NAT?  (At least as far as
I see, right now it's mangle first, then NAT.)  I can also see the
advantages of mangle before NAT, so perhaps the ideal solution would be
mangling twice on the POSTROUTING chain, if it is possible.

The situation where I would find mangling after NAT very handy is the
following.  I have two independent internet connections, and a few NAT
rules which eventually decide the source address of the outgoing packet.
And only now, knowing the source address is it possible to route the
packet correctly.  Since we are way after routing here, only mangle
could help.

Please correct me if I am not understanding things correctly.

Akos

-- 
Akos Szalkai <szalkai@2f.hu>
IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-11-28 18:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-28 17:33 mangle after nat in the postrouting chain Akos Szalkai
2003-11-28 17:55 ` Jeffrey Laramie
  -- strict thread matches above, loose matches on Subject: below --
2003-11-28 17:50 Daniel Chemko
2003-11-28 18:13 ` Akos Szalkai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.