* Patrick McHardy wrote, On 26/11/07 07:30: > Jan Engelhardt wrote: >> Netfilter: Import xt_gateway >> >> >> Originally from <azez@xxxxxxxxxxxxxxx>, >> http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/027954.html >> >> >> This adds a gateway match to iptables that lets you match against the >> routed ipv4 gateway, it is very useful for SNAT if you want to avoid >> replicating your routing in your SNAT table. >> >> e.g. >> >> iptables -t nat -A POSTROUTING -m gateway --nexthop \ >> 172.16.1.1 -j SNAT --to-address 172.16.1.5 >> iptables -t nat -A POSTROUTING -m gateway --nexthop \ >> 192.168.1.1 -j SNAT --to-address 192.168.1.25 >> >> to help you choose the right SNAT address. > > I think MASQUERADE with properly set source addresses for > the routes should do the same since we already use the > gateway for the lookup. > > What advantages does this offer over using realms? >From my point of view, the advantage is that you don't have to use realms. Also, the match isn't REALLY strongly related to routing, which nexthop suggests, it's really a dest-mac match but where the mac address is resolved by IP each time from the neighbour table; so it's also useful against layer 3 bridges as well, where the bridge hardware is out of your control (may change) but it has the same IP address; e.g. some hotspots. Realms can't do that AFAIK; Sam - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html