Jan Engelhardt wrote:
On Friday 2010-07-02 14:35, Patrick McHardy wrote:
Sure they do, if they are destined for the host itself. I'm not sure
what's so hard to understand about this patch, you have f.i. multiple
tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
them to seperate networks based on criteria like the network device or
the IPsec tunnel to be able to distinguish them.
But they are already distinguishable by the ctmark that is applied
to these connections to do routing of the reply, are they not?
Its not (only) about routing, you simply can't have two connections using
the same identity.
Which is why the zone thing is added.
I'm not talking about conntrack at all. A connection needs
a unique identity. Just look at the socket lookup code.
Ah, but I now see that you need to select a zone for it first.. touché.
Still this SNAT-on-INPUT leaves a second taste. Adding another address
to the tunnel master and using DNAT-on-PREROUTING for local deliveries
would have also made the connections unambiguous
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
