В Вто, 26/12/2006 в 12:09 +0100, Pascal Hambourg пишет: > > Where does the un-DNAT occurs and is there table/chain that is > > processed after un-DNAT? > > In 2.4 kernels, when DNAT occurs in the PREROUTING chain, un-DNAT occurs > at the same place as (and in place of) the POSTROUTING chain of the > 'nat' table, and there is no chain after it. In 2.4 kernels >= 2.4.19, > when DNAT occurs in the OUTPUT chain, un-DNAT occurs after the INPUT > chain of the 'filter' table, and there is no chain after it either. I > suppose it has not changed in 2.6 kernels. > > > The problem I have is that replay packets got catched with real source > > address, not the one the client has initially connected to. I was > > catching replay packets in mangle/POSTROUTING. > > The POSTROUTING chain of the 'mangle' table is just before the un-DNAT > place. Thanks for the replay. You just confirmed my thoughts. It's really strange to have a need solution for which is not invented yet :-/. I'm not used to be one of the first in this area :) So, this is subject for a wishlist... -- Покотиленко Костик <casper@xxxxxxxxxxxx>
