REDIRCT vs. DNAT...

REDIRCT vs. DNAT...

[Taylor, Grant]

Are there any merits to using REDIRECT over (or under) DNAT when redirecting traffic back to the box that is doing the redirecting?  Reference Alejandro Villarroel's post (and thread) at https://lists.netfilter.org/pipermail/netfilter/2005-April/059942.html.

I responded with an email stating to REDIRECT the traffic only moments after Jason Opperisano responded stating to DNAT the traffic.  I'm just curious if any one knows of any performance benefits / penalties for using REDIRECT vs. DNAT.



Grant. . . .

Re: REDIRCT vs. DNAT...

[Jason Opperisano]

On Fri, Apr 22, 2005 at 05:12:41PM -0500, Taylor, Grant wrote:
> Are there any merits to using REDIRECT over (or under) DNAT when 
> redirecting traffic back to the box that is doing the redirecting?  
> Reference Alejandro Villarroel's post (and thread) at 
> https://lists.netfilter.org/pipermail/netfilter/2005-April/059942.html.
> 
> I responded with an email stating to REDIRECT the traffic only moments 
> after Jason Opperisano responded stating to DNAT the traffic.  I'm just 
> curious if any one knows of any performance benefits / penalties for using 
> REDIRECT vs. DNAT.

REDIRECT is a special case of DNAT, where the dst IP is rewritten to the
IP address of the interface the packet is received on (optionally
re-writing the dst port as well).

i used DNAT in my response, as it wasn't clear from the OP what local IP
the translated packets needed to be sent to.

-j

--
"Peter: I'd sell my soul to be famous.
 Satan: We've got a live one. Peter.
 Assistant: No good, sir. It seems he already sold his soul once in
 1977 for Bee Gees tickets and then again in 1983 for half a mallomar."
        --Family Guy

Re: REDIRCT vs. DNAT...

[Taylor, Grant]

> REDIRECT is a special case of DNAT, where the dst IP is rewritten to the
> IP address of the interface the packet is received on (optionally
> re-writing the dst port as well).

So is there really any functional difference if you are wanting to redirect the traffic to the interface that it did come in?  In other words do you know of any kernel differences (number of cycles to execute?) in REDIRECT vs. DNAT?

> i used DNAT in my response, as it wasn't clear from the OP what local IP
> the translated packets needed to be sent to.

*nod*  I had to read the post more than one time too.



Grant. . . .

Re: REDIRCT vs. DNAT...

[Jose Maria Lopez Hernandez]

El vie, 22-04-2005 a las 17:12 -0500, Taylor, Grant escribió:
> Are there any merits to using REDIRECT over (or under) DNAT when redirecting traffic back to the box that is doing the redirecting?  Reference Alejandro Villarroel's post (and thread) at https://lists.netfilter.org/pipermail/netfilter/2005-April/059942.html.
> 
> I responded with an email stating to REDIRECT the traffic only moments after Jason Opperisano responded stating to DNAT the traffic.  I'm just curious if any one knows of any performance benefits / penalties for using REDIRECT vs. DNAT.

I don't really know for sure, but I suppose that if DNAT to the same 
machine was better than REDIRECT then REDIRECT would be deprecated. And
as is the preferred method for squid proxies and the like I suppose
REDIRECT is the way to go.

I've always used REDIRECT and it has a very very low performance 
penalty, so I've never tried DNAT to the same machine.

But I would like to hear Jason Opperisano about this. He knows far
more than I about Netfilter.

> Grant. . . .

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"