From: Russell Senior <seniorr@aracnet.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] multiple uplinks/iptables -t nat -PREROUTING funny
Date: Sat, 12 Apr 2003 20:04:36 +0000 [thread overview]
Message-ID: <marc-lartc-105017799612800@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105004797308651@msgid-missing>
>>>>> "Martin" = Martin A Brown <mabrown-lartc@securepipe.com> writes:
Russell> When I connect to the port forwarded address from the
Russell> outside, it looks like the returning packets are getting
Russell> routed _before_ the source IP is translated (and thus aren't
Russell> matching a special rule and thus get routed according to the
Russell> default rule). Everything else seems to be working fine.
Russell> Has anyone seen this? Is it a bug or am I just confused?
Martin> This is not a bug--this is a fact of packet flow through the
Martin> kernel. See the kernel packet traveling diagram (KPTD) [1]
Martin> for more details on the sequence of operations. So to answer
Martin> your question: you must be confused! :)
What that very nice diagram doesn't show is how the reply packets to
DNAT'd connections are handled. The prima facie evidence seems to be
that DNAT was in the PREROUTING iptable and "consequently" the reverse
translation should occur before routing. That is the source of my
confusion.
Martin> You should try adding just one more rule:
Martin> # ip rule add from 192.168.0.2 table T2
That would "work", but it is kind of messy. What if I have a second
DNAT from IF1 that also forwards to 192.168.0.2? It would get
complicated in a hurry.
All would be solved if the reverse translation just occurred in
PREROUTING as seems like it "should". I don't understand yet why it
doesn't. Perhaps there is a good reason that I just don't see. Or,
maybe there isn't a good reason, and it should be "fixed". Too soon
for me to say.
If anyone can point me at some detailed documentation on DNAT or even
the relevant bits of the source code, I'd really appreciate it!
--
Russell Senior ``I've seen every kind of critter God ever made,
seniorr@aracnet.com and I ain't never seen a meaner, lower, more
stinkin' yellow hypocrite than you!''
-- Burl Ives as Rufus Hennessy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-04-12 20:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-11 7:57 [LARTC] multiple uplinks/iptables -t nat -PREROUTING funny Russell Senior
2003-04-12 19:08 ` Martin A. Brown
2003-04-12 20:04 ` Russell Senior [this message]
2003-04-20 7:42 ` Russell Senior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105017799612800@msgid-missing \
--to=seniorr@aracnet.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.