* SNAT multicast traffic
@ 2005-02-08 9:13 Paolo Rossi
2005-02-08 14:46 ` Harald Welte
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Rossi @ 2005-02-08 9:13 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I have a trouble with netfilter. I need to perform a SNAT to outgoing multicast packet. Multicast packet come from
private network and i can't annunce this private network in my routing domain. Becauseour routers manage multicast
traffic with PIM-SM protocol and PIM perform RPF (reverse path forwarding), the clients can't see the multicast traffic.
I've read that netfilter don't support multicast SNAT, why?
Is there someone can hel me?
Thanks
Best wishes
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SNAT multicast traffic
2005-02-08 9:13 SNAT multicast traffic Paolo Rossi
@ 2005-02-08 14:46 ` Harald Welte
2005-02-08 13:52 ` Paolo Rossi
0 siblings, 1 reply; 5+ messages in thread
From: Harald Welte @ 2005-02-08 14:46 UTC (permalink / raw)
To: Paolo Rossi; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1178 bytes --]
On Tue, Feb 08, 2005 at 10:13:29AM +0100, Paolo Rossi wrote:
> Hi all,
>
>
> I have a trouble with netfilter. I need to perform a SNAT to outgoing
> multicast packet. Multicast packet come from private network and i can't
> annunce this private network in my routing domain. Becauseour routers
> manage multicast traffic with PIM-SM protocol and PIM perform RPF (reverse
> path forwarding), the clients can't see the multicast traffic. I've read
> that netfilter don't support multicast SNAT, why?
netfilter/iptables doesn't implement multicast NAT at all. this is due
to it's strictly stateful fully-symmetric implementation, which
obviously doesn't fit the multicast paradigm (where 'reply' packets of a
multicast 'connection' don't have the inverted
sourceip<->destinationip).
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SNAT multicast traffic
2005-02-08 14:46 ` Harald Welte
@ 2005-02-08 13:52 ` Paolo Rossi
2005-02-09 13:55 ` Samuel Jean
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Rossi @ 2005-02-08 13:52 UTC (permalink / raw)
To: Harald Welte; +Cc: netfilter-devel
Harald Welte wrote:
>On Tue, Feb 08, 2005 at 10:13:29AM +0100, Paolo Rossi wrote:
>
>
>>Hi all,
>>
>>
>>I have a trouble with netfilter. I need to perform a SNAT to outgoing
>>multicast packet. Multicast packet come from private network and i can't
>>annunce this private network in my routing domain. Becauseour routers
>>manage multicast traffic with PIM-SM protocol and PIM perform RPF (reverse
>>path forwarding), the clients can't see the multicast traffic. I've read
>>that netfilter don't support multicast SNAT, why?
>>
>>
>
>netfilter/iptables doesn't implement multicast NAT at all. this is due
>to it's strictly stateful fully-symmetric implementation, which
>obviously doesn't fit the multicast paradigm (where 'reply' packets of a
>multicast 'connection' don't have the inverted
>sourceip<->destinationip).
>
>
>
Thank you very much Harald.
Is it possible to perform stateless nat in Linux ?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SNAT multicast traffic
2005-02-08 13:52 ` Paolo Rossi
@ 2005-02-09 13:55 ` Samuel Jean
2005-02-09 14:18 ` Bill Rugolsky Jr.
0 siblings, 1 reply; 5+ messages in thread
From: Samuel Jean @ 2005-02-09 13:55 UTC (permalink / raw)
To: Paolo Rossi; +Cc: netfilter-devel
On Tue, February 8, 2005 8:52 am, Paolo Rossi said:
> Is it possible to perform stateless nat in Linux ?
No, the NAT subsystem works on the behalf of conntrack subsystem.
There's no NAT without conntrack.
Also, once the conntrack knows the NAT action for a particular
tuple; the packet doesn't hit PREROUTING of nat table anymore.
HTH,
Samuel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SNAT multicast traffic
2005-02-09 13:55 ` Samuel Jean
@ 2005-02-09 14:18 ` Bill Rugolsky Jr.
0 siblings, 0 replies; 5+ messages in thread
From: Bill Rugolsky Jr. @ 2005-02-09 14:18 UTC (permalink / raw)
To: Samuel Jean; +Cc: Paolo Rossi, netfilter-devel
On Wed, Feb 09, 2005 at 08:55:43AM -0500, Samuel Jean wrote:
> On Tue, February 8, 2005 8:52 am, Paolo Rossi said:
>
> > Is it possible to perform stateless nat in Linux ?
>
> No, the NAT subsystem works on the behalf of conntrack subsystem.
> There's no NAT without conntrack.
>
> Also, once the conntrack knows the NAT action for a particular
> tuple; the packet doesn't hit PREROUTING of nat table anymore.
Well, there is "route nat" in 2.4 (see iproute documentation). However,
it was broken by the IPsec changes to 2.6, and subsequently removed
from the 2.6 kernel.
Alternatives with 2.6 include queuing to userspace (slow), some form
of low-level packet mangling using the new tc pedit action interface
(obscure, as with everything tc ;-p), or convincing someone to fix and
readd route nat.
Regards,
Bill Rugolsky
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-02-09 14:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-08 9:13 SNAT multicast traffic Paolo Rossi
2005-02-08 14:46 ` Harald Welte
2005-02-08 13:52 ` Paolo Rossi
2005-02-09 13:55 ` Samuel Jean
2005-02-09 14:18 ` Bill Rugolsky Jr.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.