| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Jul 2010 14:35:53 +0200 From: Patrick McHardy <kaber@...sh.net> To: Jan Engelhardt <jengelh@...ozas.de> CC: davem@...emloft.net, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN Jan Engelhardt wrote: > On Friday 2010-07-02 12:17, Patrick McHardy wrote: > >>> I still have not grasped why SNAT is needed in the INPUT path. For the >>> tunnel scenario that you wanted to build I could not find a reason to >>> do SNAT in that place - since the non-encapsulated packets don't go >>> through INPUT anyway. >>> >> Sure they do, if they are destined for the host itself. I'm not sure >> what's so hard to understand about this patch, you have f.i. multiple >> tunnels using the same remote network, on INPUT and POSTROUTING you SNAT >> them to seperate networks based on criteria like the network device or >> the IPsec tunnel to be able to distinguish them. >> > > But they are already distinguishable by the ctmark that is applied > to these connections to do routing of the reply, are they not? > Its not (only) about routing, you simply can't have two connections using the same identity. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists