[tproxy] Fwd: Tproxy changes for performing dual NAT
KOVACS Krisztian
hidden at sch.bme.hu
Tue Nov 20 12:17:37 CET 2007
Hi,
On k, nov 20, 2007 at 11:33:53 +0100, Balazs Scheidler wrote:
> > On Mon, Nov 19, 2007 at 07:04:14PM +0530, Arun S wrote:
> > > Any updates on the SNAT issue with tproxy4 related to sockets?
> >
> > I'm just working on that issue. I hope I'll be able to finish it this
> > evening, or maybe tomorrow.
> >
>
> And what is your solution? I was thinking about something like a
> "natsocket" match, but that looks ugly.
I've discussed this with Patrick and we have basically two options:
* to use the original source address for SNAT-ted connections (I don't
think we'd need a separate match: I guess using the SNAT-ted address in
the socket match is absolutely useless);
* to re-introduce the tproxy table and do the socket matching and marking
in tproxy.
The first option seems pretty ugly and could work for SNAT but does not
solve the problem with DNAT: we have the same incompatibility with
nat/PREROUTING DNAT rules at the moment.
The second one is a step backwards and would break our 'user interface'
_again_ (sigh), but I tend to think that it is the only correct solution...
--
KOVACS Krisztian
More information about the tproxy
mailing list