Hi Alexey,
I recently came across a rather strange thing using
source NAT with ip rule : if the packets to be
translated are matched ONLY by <fwmark>, and no
<from prefix> is specified, the resulting address will
be the original one ORed with the new desired one.
This
is because the <srcmask> field is NULL, and the
<srcmap> simply reflects the <to prefix>. Thus, it
prevents NAT from being done from fwmark alone, which
is correct from what "ip rule help" states.
Since having an srcmask of 0 is obviously non-sense,
I've slightly patched the code to make it use exactly
the <to prefix> as new source addr in case of a zero
mask. The one-liner patch is attached here.
I know several people who use it as-is on their
firewalls because they didn't find any other way to do
so, and I think this should and could be applied to
2.2.18 with no risk at all.
Regards,
Willy
___________________________________________________________
Do You Yahoo!?
Achetez, vendez! À votre prix! Sur http://encheres.yahoo.fr
12p-wrong-snat.bz2
