On Wed, Jan 16, 2002 at 01:54:05PM -0300, Martin Ferrari - Decidir IT wrote: > > Of course it "ignores" your source address tables. The rules that DNAT > > constructs for replies are applied *after* checking your > > source address tables. > > So at this time you have not yet the new source address in > > your packet. > > That is what I was suspecting... But why is it this way? NAT isn't done in > PRE-routing?? > de-DNAT is a kind of SNAT (with automatically constructed rules). As such it's located in POST-routing (where all SNAT is done). I would find it better, to construct the automatic rules in (an) extra chain(s), which can be called at convenient places (and if not where it's now) by user rules. If you could patch the kernel accordingly it would be the best solution. Another solution would be to rely on the "mark connection" feature. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
