On Friday 2010-07-02 14:35, Patrick McHardy wrote: >>> Sure they do, if they are destined for the host itself. I'm not sure >>> what's so hard to understand about this patch, you have f.i. multiple >>> tunnels using the same remote network, on INPUT and POSTROUTING you SNAT >>> them to seperate networks based on criteria like the network device or >>> the IPsec tunnel to be able to distinguish them. >>> >> >> But they are already distinguishable by the ctmark that is applied >> to these connections to do routing of the reply, are they not? >> > > Its not (only) about routing, you simply can't have two connections using > the same identity. Which is why the zone thing is added. Ah, but I now see that you need to select a zone for it first.. touché. Still this SNAT-on-INPUT leaves a second taste. Adding another address to the tunnel master and using DNAT-on-PREROUTING for local deliveries would have also made the connections unambiguous. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
