Re: xt_owner-xt_socket plans

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jan 21 2008 15:46, KOVACS Krisztian wrote:
>> 
>> What problem? Maybe it's a bit shortsighted, but I guess if you just
>> use the conntrack origsrc/dst instead of iph->saddr, it should be a
>> no-brainer, no?
>
>For SNAT, this would be possible. It still wouldn't work for DNAT,
>however... (Imagine you have a DNAT rule on nat/PREROUTING and try to do a
>socket match _before_ traversing that chain.)

While you are right, I do not see a use case for combining -m socket
with DNAT.

There are a few cases I can think of:

1. The user wants to do transparent proxying, i.e. rerouting the
   packet a localhost process. That is done with -m socket and -j
   MARK, and a reroute based on fwmark, without DNAT.

2. The user wants to forward the packet. In this case, using -m
   socket does not make much sense because the packet is not going to
   be delivered locally.

3. The packet is directly addressed to the host (e.g. 1.3.3.7) itself.
   The host has a secondary IPv4 address (1.3.3.8), and the user
   does, for whatever reason:

	-t nat -A PREROUTING -d 1.3.3.7 -p tcp --dport 80 \
	-j DNAT --to 1.3.3.8:81

   In this third case, I cannot see a reason why one would want to
   use -m socket in a table that comes before "nat".

You are free to englighten me with a (believable) scenario not listed
here that does depend on socket being in mangle, and uses DNAT :-)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux