| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Jul 2010 12:17:55 +0200 From: Patrick McHardy <kaber@...sh.net> To: Jan Engelhardt <jengelh@...ozas.de> CC: davem@...emloft.net, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN Jan Engelhardt wrote: > On Friday 2010-07-02 11:52, kaber@...sh.net wrote: > >> 2.6.34 introduced 'conntrack zones' to deal with cases where packets >> > >from multiple identical networks are handled by conntrack/NAT. Packets > >> are looped through veth devices, during which they are NATed to private >> addresses, after which they can continue normally through the stack >> and possibly have NAT rules applied a second time. >> >> This works well, but is needlessly complicated for cases where only >> a single SNAT/DNAT mapping needs to be applied to these packets. >> > > I still have not grasped why SNAT is needed in the INPUT path. For the > tunnel scenario that you wanted to build I could not find a reason to > do SNAT in that place - since the non-encapsulated packets don't go > through INPUT anyway. > Sure they do, if they are destined for the host itself. I'm not sure what's so hard to understand about this patch, you have f.i. multiple tunnels using the same remote network, on INPUT and POSTROUTING you SNAT them to seperate networks based on criteria like the network device or the IPsec tunnel to be able to distinguish them. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists