[tproxy] Fwd: Tproxy changes for performing dual NAT

Balazs Scheidler bazsi at balabit.hu
Tue Nov 20 12:23:25 CET 2007


On Tue, 2007-11-20 at 12:17 +0100, KOVACS Krisztian wrote:
> Hi,
> 
> On k, nov 20, 2007 at 11:33:53 +0100, Balazs Scheidler wrote:
> > > On Mon, Nov 19, 2007 at 07:04:14PM +0530, Arun S wrote:
> > > > Any updates on the SNAT issue with tproxy4 related to sockets?
> > > 
> > > I'm just working on that issue. I hope I'll be able to finish it this
> > > evening, or maybe tomorrow.
> > > 
> > 
> > And what is your solution? I was thinking about something like a
> > "natsocket" match, but that looks ugly.
> 
> I've discussed this with Patrick and we have basically two options:
> 
> * to use the original source address for SNAT-ted connections (I don't
>   think we'd need a separate match: I guess using the SNAT-ted address in
>   the socket match is absolutely useless);

Yeah, but in that way the "socket" match would pull in the dependency on
the NAT module unconditonally.

> 
> * to re-introduce the tproxy table and do the socket matching and marking
>   in tproxy.
> 
> The first option seems pretty ugly and could work for SNAT but does not
> solve the problem with DNAT: we have the same incompatibility with
> nat/PREROUTING DNAT rules at the moment.
> 
> The second one is a step backwards and would break our 'user interface'
> _again_ (sigh), but I tend to think that it is the only correct solution...
> 

I see. 

-- 
Bazsi



More information about the tproxy mailing list