From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
Netfilter Core Team <coreteam@netfilter.org>
Subject: Re: [RFC PATCH] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
Date: Tue, 22 Jun 2010 09:20:39 +0200 [thread overview]
Message-ID: <4C206447.2040900@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.01.1006201007241.24800@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Thursday 2010-06-17 17:22, Patrick McHardy wrote:
>
>>>
>>>
>>>> PREROUTING performs DNAT. The purpose is to map the two
>>>> identical networks to non-clashing networks. Just consider two
>>>> connections from the same source address and port number
>>>> to the same destination.
>>>>
>>> If veth0 has 10.0.0.0/24 and veth1 has 10.0.0.0/24,
>>> wouldn't Linux's ARP mechanism already be confused, in
>>> that it only sends ARP to the first network matching
>>> the subnet?
>>>
>> This patch is intended to be used *without* looping packets through
>> veth. But good point, I chose that example to simplify things, the
>> use case I'm interested in is actually tunnels. Apparently it wasn't
>> the best possible example :)
>>
>
> Now you completely lost me. Without separate namespaces and veth
> to exchange packets between them,
>
> # ip a
> 8: iptnl1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
> link/ipip 5.6.7.8 peer 1.2.3.4
> inet 10.0.0.1/24 scope global iptnl1
> 9: iptnl2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
> link/ipip 5.6.7.8 peer 9.10.11.12
> inet 10.0.0.1/24 scope global iptnl2
>
> # ip r
> 10.0.0.0/24 dev iptnl1 proto kernel scope link src 10.0.0.1
> 10.0.0.0/24 dev iptnl2 proto kernel scope link src 10.0.0.1
>
> will lead to exclusive delivery to iptnl1 for packets that originate
> from the router itself.
> ...
> Seems sufficient.
>
How is that sufficient for talking to both networks?
next prev parent reply other threads:[~2010-06-22 7:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-16 15:09 [RFC PATCH] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN Patrick McHardy
2010-06-17 7:28 ` Jan Engelhardt
2010-06-17 7:44 ` Patrick McHardy
2010-06-17 7:52 ` Jan Engelhardt
2010-06-17 7:55 ` Patrick McHardy
2010-06-17 8:58 ` Jan Engelhardt
2010-06-17 15:22 ` Patrick McHardy
2010-06-20 8:31 ` Jan Engelhardt
2010-06-22 7:20 ` Patrick McHardy [this message]
2010-06-28 14:40 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C206447.2040900@trash.net \
--to=kaber@trash.net \
--cc=coreteam@netfilter.org \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.