Jan Engelhardt wrote:
On Friday 2010-07-02 11:52, kaber@xxxxxxxxx wrote:
2.6.34 introduced 'conntrack zones' to deal with cases where packets
>from multiple identical networks are handled by conntrack/NAT. Packets
are looped through veth devices, during which they are NATed to private
addresses, after which they can continue normally through the stack
and possibly have NAT rules applied a second time.
This works well, but is needlessly complicated for cases where only
a single SNAT/DNAT mapping needs to be applied to these packets.
I still have not grasped why SNAT is needed in the INPUT path. For the
tunnel scenario that you wanted to build I could not find a reason to
do SNAT in that place - since the non-encapsulated packets don't go
through INPUT anyway.
Sure they do, if they are destined for the host itself. I'm not sure
what's so hard to understand about this patch, you have f.i. multiple
tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
them to seperate networks based on criteria like the network device or
the IPsec tunnel to be able to distinguish them.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
