From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: davem@davemloft.net, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
Date: Fri, 02 Jul 2010 16:07:16 +0200 [thread overview]
Message-ID: <4C2DF294.5010206@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.01.1007021452430.11763@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Friday 2010-07-02 14:35, Patrick McHardy wrote:
>
>>>> Sure they do, if they are destined for the host itself. I'm not sure
>>>> what's so hard to understand about this patch, you have f.i. multiple
>>>> tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
>>>> them to seperate networks based on criteria like the network device or
>>>> the IPsec tunnel to be able to distinguish them.
>>>>
>>>>
>>> But they are already distinguishable by the ctmark that is applied
>>> to these connections to do routing of the reply, are they not?
>>>
>>>
>> Its not (only) about routing, you simply can't have two connections using
>> the same identity.
>>
>
> Which is why the zone thing is added.
>
I'm not talking about conntrack at all. A connection needs
a unique identity. Just look at the socket lookup code.
> Ah, but I now see that you need to select a zone for it first.. touché.
>
> Still this SNAT-on-INPUT leaves a second taste. Adding another address
> to the tunnel master and using DNAT-on-PREROUTING for local deliveries
> would have also made the connections unambiguous
next prev parent reply other threads:[~2010-07-02 14:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-02 9:52 [PATCH 0/9] netfilter: netfilter update kaber
2010-07-02 9:52 ` [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN kaber
2010-07-02 10:14 ` Jan Engelhardt
2010-07-02 10:17 ` Patrick McHardy
2010-07-02 12:17 ` Jan Engelhardt
2010-07-02 12:35 ` Patrick McHardy
2010-07-02 12:58 ` Jan Engelhardt
2010-07-02 14:07 ` Patrick McHardy [this message]
2010-07-02 9:52 ` [PATCH 2/9] IPVS: one-packet scheduling kaber
2010-07-02 9:52 ` [PATCH 3/9] netfilter: xt_IDLETIMER needs kdev_t.h kaber
2010-07-02 9:52 ` [PATCH 4/9] netfilter: fix simple typo in KConfig for netfiltert xt_TEE kaber
2010-07-02 9:52 ` [PATCH 5/9] netfilter: xt_connbytes: Force CT accounting to be enabled kaber
2010-07-02 9:52 ` [PATCH 6/9] netfilter: complete the deprecation of CONFIG_NF_CT_ACCT kaber
2010-07-02 9:52 ` [PATCH 7/9] netfilter: ipt_LOG/ip6t_LOG: remove comparison within loop kaber
2010-07-02 9:52 ` [PATCH 8/9] netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header kaber
2010-07-02 9:52 ` [PATCH 9/9] bridge: add per bridge device controls for invoking iptables kaber
2010-07-03 5:04 ` [PATCH 0/9] netfilter: netfilter update David Miller
2010-07-03 5:44 ` David Miller
2010-07-03 9:06 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C2DF294.5010206@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=jengelh@medozas.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.