Hello, patrick daures a écrit :
iptables -t nat -A PREROUTING -d .... -m dscp --dscp 46 -j NETMAP --to 193.0.0.0/8 But (yes, there is a but) when my tool generates packets, it can create TCP, UDP, ... packets with dst port and src port values. When it creates udp packets with DIFFERENT dscp values but using the SAME ports, iptables rules doesn't work like I want.
[...]
Is this normal ? (I think "yes")
Yes. NAT works on a per-connection basis, not on a per-packet basis. It relies on connection tracking (aka conntrack) to identify which connection a packet belongs to. When a packet belongs to an existing connection, it does not go through the nat chains, it is applied the same NAT operations as those which were applied to the first packet which created the connection instead. This way the same NAT operations are applied to all the packets belonging to the same connection. The conntrack uses addresses, protocol and ports but not the DSCP field to uniquely identify connections. So packets with the same addresses, protocol and ports are associated to the same connection regardless of the DSCP field.
Could I change it ? Is it possible to set iptables in order to avoid the srcPort and dstPort check ?
I'm afraid not. You must change at least one element among the source and destination addresses and ports so packets appear to belong to different connections.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
