Re: NF [PATCH 4/4] xt_gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Patrick McHardy wrote, On 26/11/07 07:30:
> Jan Engelhardt wrote:
>> Netfilter: Import xt_gateway
>>
>>
>> Originally from <azez@xxxxxxxxxxxxxxx>,
>> http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/027954.html
>>
>>
>> This adds a gateway match to iptables that lets you match against the
>> routed ipv4 gateway, it is very useful for SNAT if you want to avoid
>> replicating your routing in your SNAT table.
>>
>> e.g.
>>
>>     iptables -t nat -A POSTROUTING -m gateway --nexthop \
>>         172.16.1.1 -j SNAT --to-address 172.16.1.5
>>     iptables -t nat -A POSTROUTING -m gateway --nexthop \
>>         192.168.1.1 -j SNAT --to-address 192.168.1.25
>>
>> to help you choose the right SNAT address.
>
> I think MASQUERADE with properly set source addresses for
> the routes should do the same since we already use the
> gateway for the lookup.
>
> What advantages does this offer over using realms?
>From my point of view, the advantage is that you don't have to use realms.

Also, the match isn't REALLY strongly related to routing, which nexthop
suggests, it's really a dest-mac match but where the mac address is
resolved by IP each time from the neighbour table; so it's also useful
against layer 3 bridges as well, where the bridge hardware is out of
your control (may change) but it has the same IP address; e.g. some
hotspots. Realms can't do that AFAIK;

Sam
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux