>>>>> "Martin" == Martin A Brown <mabrown-lartc@xxxxxxxxxxxxxx> writes:
Russell> When I connect to the port forwarded address from the
Russell> outside, it looks like the returning packets are getting
Russell> routed _before_ the source IP is translated (and thus aren't
Russell> matching a special rule and thus get routed according to the
Russell> default rule). Everything else seems to be working fine.
Russell> Has anyone seen this? Is it a bug or am I just confused?
Martin> This is not a bug--this is a fact of packet flow through the
Martin> kernel. See the kernel packet traveling diagram (KPTD) [1]
Martin> for more details on the sequence of operations. So to answer
Martin> your question: you must be confused! :)
What that very nice diagram doesn't show is how the reply packets to
DNAT'd connections are handled. The prima facie evidence seems to be
that DNAT was in the PREROUTING iptable and "consequently" the reverse
translation should occur before routing. That is the source of my
confusion.
Martin> You should try adding just one more rule:
Martin> # ip rule add from 192.168.0.2 table T2
That would "work", but it is kind of messy. What if I have a second
DNAT from IF1 that also forwards to 192.168.0.2? It would get
complicated in a hurry.
All would be solved if the reverse translation just occurred in
PREROUTING as seems like it "should". I don't understand yet why it
doesn't. Perhaps there is a good reason that I just don't see. Or,
maybe there isn't a good reason, and it should be "fixed". Too soon
for me to say.
If anyone can point me at some detailed documentation on DNAT or even
the relevant bits of the source code, I'd really appreciate it!
--
Russell Senior ``I've seen every kind of critter God ever made,
seniorr@xxxxxxxxxxx and I ain't never seen a meaner, lower, more
stinkin' yellow hypocrite than you!''
-- Burl Ives as Rufus Hennessy
