On Wed, Apr 12, 2023 at 01:43:51PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > I think my proposal provides a simple way to support this, it just a > > new flag in the NAT engine, few lines to handle it and new userspace > > code to handle -/+offset in a map. > > Yes, thanks for clarifying this. I'm fine with your proposal. > > I think it might even be possible to rework the iptables target > (the only user of the current shift/offset infra) to work with > the 'new' delta approach, to avoid cluttering the NAT engine with > both appraoaches. Agreed. > > Your idea of doing it via payload + math is also good, but it would > > just require more work to support this NAT port-shift feature in > > userspace. > > Indeed, its a lot more work. > > > Does this help clarify? I am talking about a completely different > > design for this feature, not so iptablish. > > Yes, it does. Agree its better solution compared to the existing > one. OK, let's move on then :)
