* priority of MANGLE and NAT tables
@ 2002-07-10 8:00 Peter Kundrat
2002-07-10 9:16 ` Harald Welte
0 siblings, 1 reply; 3+ messages in thread
From: Peter Kundrat @ 2002-07-10 8:00 UTC (permalink / raw)
To: netfilter-devel
Hello,
Basically i have the following problem: shaping together with SNAT works
only in one direction (incoming) .. but i am writing here since i
believe it is implementation problem .. not configuration one (but i
might have overlooked something).
If i shape using u32 .. the packet gets classified with real addresses,
which is too late for outgoing traffic (since the source address is
allready rewritten).
So the only chance is using fwmark and classify for that. Fine .. but
the problem remains, since there is no hook for mangle table, where the
the src addr/port (and dst parts in reply packets) would correspond
to the internal (translated addr/ports) = in PREROUTING .. mangle is before nat (so
before rewriting dst addr/port), and there is no mangle hook in POSTROUTING
(which would help, since it would be before SNAT).
So my questions are (since any of those would save me):
- what is the reason there is no hook for mangle table in POSTROUTING ?
- is there any reason why NAT is after MANGLE (i.e. has higher numerical
priority) ?
I can live with my local change reverting order for MANGLE/SNAT or
adding MANGLE hook to the POSTROUTING .. but i would still be interested
in your opinion and why it was done this way.
Thanks for any info. Regards,
peter
PS: please CC me, since i am not subscribed
--
Peter Kundrat
peter@kundrat.sk
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: priority of MANGLE and NAT tables
2002-07-10 8:00 priority of MANGLE and NAT tables Peter Kundrat
@ 2002-07-10 9:16 ` Harald Welte
2002-07-10 10:06 ` Henrik Nordstrom
0 siblings, 1 reply; 3+ messages in thread
From: Harald Welte @ 2002-07-10 9:16 UTC (permalink / raw)
To: Peter Kundrat; +Cc: netfilter-devel
On Wed, Jul 10, 2002 at 10:00:36AM +0200, Peter Kundrat wrote:
> before rewriting dst addr/port), and there is no mangle hook in POSTROUTING
> (which would help, since it would be before SNAT).
yes, there is. You must be using a relatively old kernel verison. Think
this changed around 2.4.14
> peter
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: priority of MANGLE and NAT tables
2002-07-10 9:16 ` Harald Welte
@ 2002-07-10 10:06 ` Henrik Nordstrom
0 siblings, 0 replies; 3+ messages in thread
From: Henrik Nordstrom @ 2002-07-10 10:06 UTC (permalink / raw)
To: Peter Kundrat; +Cc: netfilter-devel
On Wednesday 10 July 2002 11.16, Harald Welte wrote:
> On Wed, Jul 10, 2002 at 10:00:36AM +0200, Peter Kundrat wrote:
> > before rewriting dst addr/port), and there is no mangle hook in
> > POSTROUTING (which would help, since it would be before SNAT).
>
> yes, there is. You must be using a relatively old kernel verison.
> Think this changed around 2.4.14
In patch-o-matic we also have the interesting match "conntrack" that
solves many relevant issues..
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-07-10 10:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-10 8:00 priority of MANGLE and NAT tables Peter Kundrat
2002-07-10 9:16 ` Harald Welte
2002-07-10 10:06 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.