Re: Packets not hitting the nat POSTROUTING table

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Frederick <cdf123@cdf123.net>
To: netfilter@vger.kernel.org
Cc: Kristian Evensen <kristian.evensen@gmail.com>
Subject: Re: Packets not hitting the nat POSTROUTING table
Date: Thu, 09 Jan 2014 17:02:51 -0600	[thread overview]
Message-ID: <52CF2A9B.3000903@cdf123.net> (raw)
In-Reply-To: <CAKfDRXg6ikUtbe3WF6EZTPpDSm_-nPSNPGgXGC95A4GPN9YEhw@mail.gmail.com>

On 01/09/14 16:31, Kristian Evensen wrote:
> Hi Chris,
>
> On Thu, Jan 9, 2014 at 10:57 PM, Chris Frederick <cdf123@cdf123.net> wrote:
>> Any ideas would be helpful.
>
> If I have understood things correctly, packets belonging to an
> established connection does not hit any of the chains in the nat
> table. If you want to mangle/filter/manipulate/... these packets, you
> can use for example the POSTROUTING chain in the mangle table or in
> rawpost. The latter requires xtables-addons as well as slight change
> to compilation as rawpost was removed in a recent commit. See:
> http://sourceforge.net/p/xtables-addons/xtables-addons/ci/9414a5df343bf30ba13e76dbd7181c55683b11cb/
>
> -Kristian

When you say "established connection" are you talking TCP level established connection, or is this from contrack identifying the connection?  I 
guess what I'm asking is if doing a NOTRACK in raw would allow the packets through and still pass through nat/POSTROUTING?

I did see that they are hitting the POSTROUTING chain in the mangle table, but I can't SNAT from there.  Does xtables-addons provide this?  I'll 
probably start looking there.

The Changelog from the sourceforge link mentions the code was removed because it was unmaintained.  Is that the only reason, or was this a 
policy decision to remove that functionality to make way for something different?  I would just worry about the future if I patch the system now.

Thanks Kristian,

Chris Frederick

next prev parent reply	other threads:[~2014-01-09 23:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09 21:57 Packets not hitting the nat POSTROUTING table Chris Frederick
2014-01-09 22:31 ` Kristian Evensen
2014-01-09 23:02   ` Chris Frederick [this message]
2014-01-10 12:18     ` Kristian Evensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52CF2A9B.3000903@cdf123.net \
    --to=cdf123@cdf123.net \
    --cc=kristian.evensen@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.