Andy Lutomirski <l...@amacapital.net> : > [re-add netdev -- I assume you meant to reply all]
Thanks. Late friday. > On Fri, Jun 26, 2015 at 1:32 PM, Francois Romieu <rom...@fr.zoreil.com> wrote: > > Andy Lutomirski <l...@amacapital.net> : > > [...] > >> Could we add some option to do SNAT and inverse DNAT before routing? > > > > I haven't used it for ages but what's wrong with iptables + fwmark ? > > > > It takes place in PREROUTING. > > This works, but it seems unnecessarily painful. It means that all of > my policy rules have to be duplicated with fwmark rules based on '-m > conntrack' or similar. I'd rather say that the fwmark rules will duplicate the SNAT rules since your routing policy depends on the post SNAT source addresses. You'd be right to complain it does not really help :o) > Shouldn't the order of operations be: > > 1. Check rp_filter. > > 2. Handle NAT. > > 3. Routing decision. > > ? The admittedly painful fwmark part would still be needed for pre-NAT source address based policy routing (assuming SNAT loses valuable policy information). Life would be easier for your current requirements but some different policy requirements would be unable to avoid the fwmark/mangle style stuff. Btw, the suggested scheme implies that filtering between SNAT and DNAT would be done before routing, thus without INPUT vs FORWARD tainting. It may be done but it would be a different beast and I can't help thinking that routing and filtering would overlap. -- Ueimor -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
