* Why Port trigger of DD-WRT requires nat table storing trigger ?
@ 2011-07-27 7:44 Olshvang, LevX
2011-07-27 13:10 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Olshvang, LevX @ 2011-07-27 7:44 UTC (permalink / raw)
To: netfilter
Hi all,
I am porting DD-WRT port trigger implementation taken from DDWRT project.
The logic of port trigger says : wait for somebody from LAN (br0 interface) to send tcp packed to port 6889 to Internet peer.
Then Internet peer replies by sending packet to related port 9881 and firewall makes dnat translation.
Port trigger is set up in 3 iptables commands:
#iptables -t nat -A prerouting_wan -p tcp --dport 9881:9889 -j TRIGGER --trigger-type dnat
#iptables -A forwarding_wan -p tcp --dport 9881:9889 -j TRIGGER --trigger-type in
#iptables -t nat -A prerouting_rule -i br0 -p tcp --dport 6889 -j TRIGGER --trigger-type out --trigger-proto all --trigger-match 6881-6889 --trigger-relate 9881-9889
The last command inserts rule into nat table, and the trigger implementation code gives an error if a mangle table is used instead.
The question is why ?
The code which handles this specific line just creates trigger structure, and it does not use any of nat functions.
The code is here :
http://svn.dd-wrt.com/browser//src/linux/xscale/linux-2.6.24/net/ipv4/netfilter/ipt_TRIGGER.c
I think it is perfectly safe to use mangle table instead, otherwise I do not understand smthing ?
Regards,
Lev
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Why Port trigger of DD-WRT requires nat table storing trigger ?
2011-07-27 7:44 Why Port trigger of DD-WRT requires nat table storing trigger ? Olshvang, LevX
@ 2011-07-27 13:10 ` Jan Engelhardt
2011-07-28 8:14 ` What is the added value of tables comparing to chains ? Olshvang, LevX
2011-07-28 16:22 ` Why Port trigger of DD-WRT requires nat table storing trigger ? Olshvang, LevX
0 siblings, 2 replies; 4+ messages in thread
From: Jan Engelhardt @ 2011-07-27 13:10 UTC (permalink / raw)
To: Olshvang, LevX; +Cc: netfilter
On Wednesday 2011-07-27 09:44, Olshvang, LevX wrote:
>Hi all,
>
>I am porting DD-WRT port trigger implementation taken from DDWRT
>project. The logic of port trigger says : wait for somebody from LAN
>(br0 interface) to send tcp packed to port 6889 to Internet peer. Then
>Internet peer replies by sending packet to related port 9881 and
>firewall makes dnat translation.
DDWRT's xtables stack has been left behind 3 years ago and then
agglomerated with weird extra components with questionable uses,
including, but not limited to, ipt_TRIGGER, which is not even
documented to begin with, so chances for any explanations are quite
dim.
>The last command inserts rule into nat table, and the trigger
>implementation code gives an error if a mangle table is used instead.
>The question is why ?
^ permalink raw reply [flat|nested] 4+ messages in thread
* What is the added value of tables comparing to chains ?
2011-07-27 13:10 ` Jan Engelhardt
@ 2011-07-28 8:14 ` Olshvang, LevX
2011-07-28 16:22 ` Why Port trigger of DD-WRT requires nat table storing trigger ? Olshvang, LevX
1 sibling, 0 replies; 4+ messages in thread
From: Olshvang, LevX @ 2011-07-28 8:14 UTC (permalink / raw)
To: netfilter
Hi all,
I am rather new to netfilter , but during couple of months I gained some experience writing both netfilter and iptables extensions.
Threre is very conceivable reasonal link between hooks in TCP/IP stack and chains.
But I should confess I do not understand what for the tables were invented. Is there any code that in match or target function code paths that takes data from table structures ?
For example I asked in my previous post (see quoted below) why some target which just create some structure for internal use must be associated with nat table ? Why not mangle table ?
I understand that the list may had already discussed the issue, I will be glad for references.
>POST :Why Port trigger of DD-WRT requires nat table to store trigger ?
>The last command inserts rule into nat table, and the trigger
>implementation code gives an error if a mangle table is used instead.
>The question is why ?
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Why Port trigger of DD-WRT requires nat table storing trigger ?
2011-07-27 13:10 ` Jan Engelhardt
2011-07-28 8:14 ` What is the added value of tables comparing to chains ? Olshvang, LevX
@ 2011-07-28 16:22 ` Olshvang, LevX
1 sibling, 0 replies; 4+ messages in thread
From: Olshvang, LevX @ 2011-07-28 16:22 UTC (permalink / raw)
To: netfilter
Thanks Jan,
I am not looking for DDWRT experts, I am just applying to the community wisdom to advice me on a question:
What is implication of using a mangle table versus nat table if no nat action (snat, dnat, masquerade) is requested ?
Why nat table is required to execute DNAT or SNAT ?
And finally I had a vey generic question ( and please excuse me ) - why we group chains in tables, can we make netfilter without tables ?
To discuss, (or clarify my misunderstanding ) the last question I had posted a separate topic to the list.
Thx,
Lev
-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@medozas.de]
Sent: Wednesday, July 27, 2011 16:10
To: Olshvang, LevX
Cc: netfilter@vger.kernel.org
Subject: Re: Why Port trigger of DD-WRT requires nat table storing trigger ?
On Wednesday 2011-07-27 09:44, Olshvang, LevX wrote:
>Hi all,
>
>I am porting DD-WRT port trigger implementation taken from DDWRT
>project. The logic of port trigger says : wait for somebody from LAN
>(br0 interface) to send tcp packed to port 6889 to Internet peer. Then
>Internet peer replies by sending packet to related port 9881 and
>firewall makes dnat translation.
DDWRT's xtables stack has been left behind 3 years ago and then
agglomerated with weird extra components with questionable uses,
including, but not limited to, ipt_TRIGGER, which is not even
documented to begin with, so chances for any explanations are quite
dim.
>The last command inserts rule into nat table, and the trigger
>implementation code gives an error if a mangle table is used instead.
>The question is why ?
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-28 16:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-27 7:44 Why Port trigger of DD-WRT requires nat table storing trigger ? Olshvang, LevX
2011-07-27 13:10 ` Jan Engelhardt
2011-07-28 8:14 ` What is the added value of tables comparing to chains ? Olshvang, LevX
2011-07-28 16:22 ` Why Port trigger of DD-WRT requires nat table storing trigger ? Olshvang, LevX
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.