From: Amin Azez <azez@ufomechanic.net>
To: netfilter-devel@lists.netfilter.org
Subject: snat bridge routes reply packets
Date: Wed, 28 Sep 2005 17:05:44 +0100 [thread overview]
Message-ID: <dhef0t$mj3$1@sea.gmane.org> (raw)
I have a bridge setup snat'ing some IP's that aren't actually on the
bridge subnet.
That works fine except that the nat code doesn't know what to do with
the de-snat'd packets and tries to send them to the default gateway.
This makes sense, but it's routing, not bridging.
Bridging dnat would keep track of the physdev and src mac as well as the
src ip and ignore arp altogether when re-issueing the de-snat'd
responses; it would write the de-snat'd packet back out to the original
interface and targeted to the original mac.
I think bridging snat can be detected when the target mac of the packet
that causes the conntrack to be created does not match the mac of the
physdev the packet comes in on (i.e. the snat'ing box is not being used
as a gateway).
In such cases the physdev and srcmac must be saved.
(Co-incidentally I'm already doing this in my contrack mods which will
no doubt get merged into nf_conntrack that does some layer 2 stuff)
So my real questions are:
1) Am I nuts?
2) Any tips on skipping the arp cache stuff on the de-snat'd response,
as I have a reference to the physdev and target mac already available?
I also think there is some mileage in checking the src_mac when looking
up conntracks in the orig direction, to avoid having to presume that the
same ip address does not exist on different physdev of the same bridge -
to thus allow them both to be snat'd independantly.
Sam Azez
next reply other threads:[~2005-09-28 16:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-28 16:05 Amin Azez [this message]
2005-09-28 19:56 ` snat bridge routes reply packets Henrik Nordstrom
2005-09-29 8:42 ` Amin Azez
2005-09-29 10:11 ` Henrik Nordstrom
2005-09-29 12:19 ` Amin Azez
2005-09-29 12:49 ` Martijn Lievaart
2005-09-29 13:12 ` Amin Azez
2005-09-29 15:20 ` Martijn Lievaart
2005-09-29 16:33 ` Henrik Nordstrom
2005-09-30 5:27 ` Martijn Lievaart
2005-09-30 11:24 ` Henrik Nordstrom
2005-10-03 10:48 ` Amin Azez
2005-10-03 12:24 ` Henrik Nordstrom
2005-10-04 10:58 ` Amin Azez
2005-09-30 9:28 ` Amin Azez
2005-09-29 14:35 ` Henrik Nordstrom
2005-09-30 9:56 ` Amin Azez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='dhef0t$mj3$1@sea.gmane.org' \
--to=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.