Re: [RFC PATCH] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 2010-06-17 17:22, Patrick McHardy wrote:
>>  
>>> PREROUTING performs DNAT. The purpose is to map the two
>>> identical networks to non-clashing networks. Just consider two
>>> connections from the same source address and port number
>>> to the same destination.
>>
>> If veth0 has 10.0.0.0/24 and veth1 has 10.0.0.0/24,
>> wouldn't Linux's ARP mechanism already be confused, in
>> that it only sends ARP to the first network matching
>> the subnet?
>
> This patch is intended to be used *without* looping packets through
> veth. But good point, I chose that example to simplify things, the
> use case I'm interested in is actually tunnels. Apparently it wasn't
> the best possible example :)

Now you completely lost me. Without separate namespaces and veth
to exchange packets between them,

# ip a
8: iptnl1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN 
    link/ipip 5.6.7.8 peer 1.2.3.4
    inet 10.0.0.1/24 scope global iptnl1
9: iptnl2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN 
    link/ipip 5.6.7.8 peer 9.10.11.12
    inet 10.0.0.1/24 scope global iptnl2

# ip r
10.0.0.0/24 dev iptnl1  proto kernel  scope link  src 10.0.0.1 
10.0.0.0/24 dev iptnl2  proto kernel  scope link  src 10.0.0.1 

will lead to exclusive delivery to iptnl1 for packets that originate
from the router itself.

And for pure forwarding without considering the router,

 -t mangle -A PREROUTING -i iptnl1 -j MARK 1 + -j CT 1
 -t mangle -A PREROUTING -i iptnl2 -j MARK 1 + -j CT 2
 -t nat -A PREROUTING  -m mark --mark 1 -d 10.0.0.1 -j RETURN
 -t nat -A PREROUTING  -m mark --mark 1 -d 10.0.1.0/24 -j NETMAP --to 10.0.0.0/24
 -t nat -A POSTROUTING -m mark --mark 1 -s 10.0.0.0/24 -j NETMAP --to 10.0.1.0/24

ip ru a from 10.0.0.0/24 to 10.0.0.0/24 dev iptnl1 table 1
ip r a default via iptnl2 table 1

ip ru a from 10.0.0.0/24 to 10.0.0.0/24 dev iptnl2 table 2
ip r a default via iptnl1 table 2

Seems sufficient.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux