Finally got a chance to code up this fix: https://github.com/bronson/libvirt-hook-qemu/tree/hostfix https://github.com/bronson/libvirt-hook-qemu/blob/hostfix/qemu#L67-L95 Works great. Thanks Noel and Pascal. Now I need to work on the disappearing packet. On Mon, Dec 7, 2015 at 4:53 PM, Scott Bronson <bronson@xxxxxxxxxxx> wrote: > On Sat, Dec 5, 2015 at 2:13 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: >> It's not handled specially /per se/. >> It's a side effect of how conntrack and NAT work. The conntrack confirm >> takes place at the end of POSTROUTING, and no new NAT rule can be >> applied on a confirmed connection. >> >> The same applies to packets belonging to an established connection : >> they all skip the nat chains. > > That makes sense (assuming PREROUTING above). Thanks, this seems > way less arbitrary. > > >> The special thing in the loopback path is that there is no need for an >> input routing decision after PREROUTING. So, what would happen if you >> could actually DNAT the packet ? > > I would like to change its destination, then have the routing decision after > PREROUTING send the packet somewhere else. > > Just because it arrived local doesn't mean I want it to stay local! > > But that's no big deal. I'm making the PREROUTING+OUTPUT > chain modifications now, everything looks OK to me. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
