On Fri, Aug 14, 2015 at 04:03:39PM +0200, Daniel Borkmann wrote: > This work adds a direction parameter to netfilter zones, so identity > separation can be performed only in original/reply or both directions > (default). This basically opens up the possibility of doing NAT with > conflicting IP address/port tuples from multiple, isolated tenants > on a host (e.g. from a netns) without requiring each tenant to NAT > twice resp. to use its own dedicated IP address to SNAT to, meaning > overlapping tuples can be made unique with the zone identifier in > original direction, where the NAT engine will then allocate a unique > tuple in the commonly shared default zone for the reply direction. > In some restricted, local DNAT cases, also port redirection could be > used for making the reply traffic unique w/o requiring SNAT. Applied, thanks Daniel. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
