| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrWRv5S_X=MQRGwO-NR+XrQc2o-EnooHFN0V41xqJEY8sA@mail.gmail.com> Date: Fri, 26 Jun 2015 12:51:03 -0700 From: Andy Lutomirski <luto@...capital.net> To: Network Development <netdev@...r.kernel.org> Subject: Why can't we SNAT (or inverse DNAT) in PREROUTING? It's quite clear to me why NAT rules that rewrite the destination address have to happen before routing -- the kernel needs to do that to route the packets to their destination. It's much less clear to me why the kernel insists on rewriting source addresses after routing. Certainly it makes rp_filter work better, but it makes policy routing very messy when NAT is in play. I have a system with two internet connections, and I use policy routing* to choose which outgoing connection to use based on source address. This is completely broken when the source address is rewritten by NAT *after* routing. Could we add some option to do SNAT and inverse DNAT before routing? * Grr, IPV6_SUBTREES is so much nicer than policy routing, but even IPV4_SUBTREES wouldn't help here. --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists