Hi, Le dimanche 31 mai 2009 à 20:05 -0300, Bruno Moreira Guedes a écrit : > 2009/5/27 Bruno Moreira Guedes <thbmatrix@xxxxxxxxx>: > > 2009/5/26 Eric Leblond <eric@xxxxxx>: > >> Hi, > >> > >> Le mardi 26 mai 2009 à 01:53 -0300, Bruno Moreira Guedes a écrit : > >>> Hi all, > >>> > >>> I need to do some tasks about translating address in user-space. So, I > >>> first tried using libipq because it seems to me a library present in a ... > But, even with the right checksum it doesn't work as expected(by me). > The packet seems like I dropped it instead of accepting it. So, I ask: > does netfilter "retranslate" the packet answer for me? For example: > > 1) I receive in the nat::POSTROUTING a packet and jump it to QUEUE or NFQUEUE; > 2) By jumping it to QUEUE or NFQUEUE, the packet is sent to user-space > and "received" by nfnetlink library > 3) So, it "goes" to the my code through ipq/nfqueue, which changes the > source addr from 1.1.1.1 to 2.2.2.2 > 4) My code sets the verdict NF_ACCEPT > 5) The packet is sent to its destiny (by example 2.2.2.3) > 6) The host 2.2.2.3 send me a ACK, and the IP header has source > address 2.2.2.3, and destiny address 2.2.2.2 > > And so, netfilter will automatically make a "answer DNAT" in the ACK > by changing its destiny to 1.1.1.1 and sending it to the 1.1.1.1 host, > or it'll simply accept the packet as it seems to be for the local > machine?? If you accept the packet in POSTROUTING nat, it will discard any NAT action done after the NFQUEUE rule. Thus you will need to do NAT by yourself. If you want to see what happens, I suggest to run "conntrack -E" when doing test. It will show you what the connection tracking is doing. BR, -- Eric Leblond <eric@xxxxxx> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
