Re: Netfilter+IPsec patches

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: Netfilter+IPsec patches
Date: Wed, 18 Aug 2004 14:31:31 +1000	[thread overview]
Message-ID: <4122DBA3.7080900@snapgear.com> (raw)
In-Reply-To: <20040818034549.GE21419@ns.snowman.net>

Stephen Frost wrote:
> This is DNAT'ing, btw, I wasn't specific about that before, sorry.
> un-NAT'ing should happen pre-routing, I think...  Like this:
> Packet shows up on eth1 from 1.1.1.1 -> 1.2.3.4
> Gateway NAT's from 1.2.3.4 -> 10.1.2.3 (interal address)
> Gateway does routing on NAT'd packet, finds eth2
> Gateway sends packet out eth2 to the 10.1.2.3 machine
> 10.1.2.3 machine sends reply from 10.1.2.3 to 1.1.1.1
> Gateway unNAT's from 10.1.2.3 -> 1.2.3.4
> Gateway does routing on unNAT'd packet, should find eth1
> Gateway sends packet out eth1 to the 1.1.1.1 machine

I don't know what the ipsec patches change, but for unpatched kernels,
this is how it works:  If you DNAT in one direction, there is an
automatic SNAT in the other direction (or unNAT as you call it)
which is performed in the POST_ROUTING hook.  So for your example,
the routing is based on a packet with source 10.1.2.3.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

     prev parent reply	other threads:[~2004-08-18  4:31 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-26  3:35 Netfilter+IPsec patches Alexander Samad
2004-05-27  0:56 ` Patrick McHardy
2004-05-27  4:46   ` Alexander Samad
2004-08-18  2:40     ` Stephen Frost
2004-08-18  2:48       ` Stephen Frost
2004-08-21 15:30         ` Patrick McHardy
2004-08-18  3:28       ` Philip Craig
2004-08-18  3:45         ` Stephen Frost
2004-08-18  4:05           ` Alexander Samad
2004-08-18  4:31           ` Philip Craig [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4122DBA3.7080900@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=sfrost@snowman.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.