On 16/07/10 17:04, Pascal Hambourg wrote: > Bas van Sisseren a écrit : >> >> On 16/07/10 14:42, Pascal Hambourg wrote: >>> >>> 2) I wonder whether it is really useful. The purpose of REDIRECT is to >>> make sure a packet is redirected to the local machine itself without the >>> need to care about the machine's address (just as MASQUERADE). If you >>> don't want to change the destination address or need finer control over >>> it, I believe DNAT can be used instead. Can you provide a use case ? >> >> It's a honeypot system with advanced routing and a lot of ip-addresses. The >> honeypot is running as non-root, which complicates usage of ports < 1024. >> The REDIRECT rule helps us to redirect the connection to higher >> port-numbers. With REDIRECT, we can request the original dst ip:port with >> the SO_ORIG_DST sockopt. With DNAT the SO_ORIG_DST is not available. > > Do you mean SO_ORIGINAL_DST ? I'm surprised it does not work with DNAT. > AFAICS, it uses data from the connection tracking, and it does not > matter how the NAT mapping was created. Yes, that's the one. I have to admit I did these experiments before the netfilter module shuffle (somewhere around the 2.6.18 kernel). I'll have another look at it. >>> 3) Why restrict only to the addresses attached to the receiving >>> interface ? Why not extend to any address attached to a host's >>> interface, or even any local address (such as the whole 127.0.0.0/8 >>> prefix) ? >> >> I don't see any use for that. :-) > > Well, I think it would be more consistent with the Linux "weak" host > model (all local addresses belong globally to the host instead of a > single interface) ; we want to redirect a packet to the local host, so > if the original destination address is already a local address, we don't > need to change it. Ah, you've got a point there. -- Bas van Sisseren <bas@xxxxxxxxxxxxxxxxx> Quarantainenet -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
