lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 2 Jul 2010 12:14:06 +0200 (CEST)
From:	Jan Engelhardt <jengelh@...ozas.de>
To:	kaber@...sh.net
cc:	davem@...emloft.net, netfilter-devel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules
 in LOCAL_IN


On Friday 2010-07-02 11:52, kaber@...sh.net wrote:
>
>2.6.34 introduced 'conntrack zones' to deal with cases where packets
>from multiple identical networks are handled by conntrack/NAT. Packets
>are looped through veth devices, during which they are NATed to private
>addresses, after which they can continue normally through the stack
>and possibly have NAT rules applied a second time.
>
>This works well, but is needlessly complicated for cases where only
>a single SNAT/DNAT mapping needs to be applied to these packets.

I still have not grasped why SNAT is needed in the INPUT path. For the
tunnel scenario that you wanted to build I could not find a reason to
do SNAT in that place - since the non-encapsulated packets don't go
through INPUT anyway.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists