From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: davem@davemloft.net, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
Date: Fri, 02 Jul 2010 12:17:55 +0200 [thread overview]
Message-ID: <4C2DBCD3.20208@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.01.1007021212490.16691@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Friday 2010-07-02 11:52, kaber@trash.net wrote:
>
>> 2.6.34 introduced 'conntrack zones' to deal with cases where packets
>>
> >from multiple identical networks are handled by conntrack/NAT. Packets
>
>> are looped through veth devices, during which they are NATed to private
>> addresses, after which they can continue normally through the stack
>> and possibly have NAT rules applied a second time.
>>
>> This works well, but is needlessly complicated for cases where only
>> a single SNAT/DNAT mapping needs to be applied to these packets.
>>
>
> I still have not grasped why SNAT is needed in the INPUT path. For the
> tunnel scenario that you wanted to build I could not find a reason to
> do SNAT in that place - since the non-encapsulated packets don't go
> through INPUT anyway.
>
Sure they do, if they are destined for the host itself. I'm not sure
what's so hard to understand about this patch, you have f.i. multiple
tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
them to seperate networks based on criteria like the network device or
the IPsec tunnel to be able to distinguish them.
next prev parent reply other threads:[~2010-07-02 10:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-02 9:52 [PATCH 0/9] netfilter: netfilter update kaber
2010-07-02 9:52 ` [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN kaber
2010-07-02 10:14 ` Jan Engelhardt
2010-07-02 10:17 ` Patrick McHardy [this message]
2010-07-02 12:17 ` Jan Engelhardt
2010-07-02 12:35 ` Patrick McHardy
2010-07-02 12:58 ` Jan Engelhardt
2010-07-02 14:07 ` Patrick McHardy
2010-07-02 9:52 ` [PATCH 2/9] IPVS: one-packet scheduling kaber
2010-07-02 9:52 ` [PATCH 3/9] netfilter: xt_IDLETIMER needs kdev_t.h kaber
2010-07-02 9:52 ` [PATCH 4/9] netfilter: fix simple typo in KConfig for netfiltert xt_TEE kaber
2010-07-02 9:52 ` [PATCH 5/9] netfilter: xt_connbytes: Force CT accounting to be enabled kaber
2010-07-02 9:52 ` [PATCH 6/9] netfilter: complete the deprecation of CONFIG_NF_CT_ACCT kaber
2010-07-02 9:52 ` [PATCH 7/9] netfilter: ipt_LOG/ip6t_LOG: remove comparison within loop kaber
2010-07-02 9:52 ` [PATCH 8/9] netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header kaber
2010-07-02 9:52 ` [PATCH 9/9] bridge: add per bridge device controls for invoking iptables kaber
2010-07-03 5:04 ` [PATCH 0/9] netfilter: netfilter update David Miller
2010-07-03 5:44 ` David Miller
2010-07-03 9:06 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C2DBCD3.20208@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=jengelh@medozas.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).