Slagter, EM wrote:
Patrick McHardy wrote:
This is expected behaviour. Before NAT takes place, the packet
doesn't match a policy, it only does after getting mangled by
NAT, but at that point it already passed through your policy
matches.
I think we're not talking about the same thing :-/
I have a rule in the filter table like this:
iptables -t filter -A FORWARD -i ... -o ... -s ... -d ... -m policy
--mode tunnel --pol ipsec --dir out --tunnnel-src ... --tunnel-dst ...
-j ACCEPT
This rule works as expected, it matches certain ipsec traffic as intended.
As soon as I add a rule like this to the nat table:
iptables -t nat -A POSTROUTING -s ... -d ... -j SNAT --to-source ...
then the OTHER rule (above, the one in the filter table) doesn't match
anymore. This has nothing to do with the source address having changed
because even in this "bare" form:
iptables -t filter -A FORWARD -i ... -o ... -m policy --pol ipsec --dir out
it doesn't match.
This one does match (changed --pol ipsec into --pol none):
iptables -t filter -A FORWARD -i ... -o ... -m policy --pol none --dir out
Yet the traffic IS being encapsulated like before I applied the SNAT rule.
That doesn't seem right to me.
Does this rule apply in the direction you do SNAT or to reply packets?
Please post the rules including IP addresses.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
