[tproxy] Fwd: Tproxy changes for performing dual NAT
KOVACS Krisztian
hidden at sch.bme.hu
Tue Nov 20 14:26:08 CET 2007
Hi,
On k, nov 20, 2007 at 12:23:25 +0100, Balazs Scheidler wrote:
> > > > I'm just working on that issue. I hope I'll be able to finish it this
> > > > evening, or maybe tomorrow.
> > > >
> > >
> > > And what is your solution? I was thinking about something like a
> > > "natsocket" match, but that looks ugly.
> >
> > I've discussed this with Patrick and we have basically two options:
> >
> > * to use the original source address for SNAT-ted connections (I don't
> > think we'd need a separate match: I guess using the SNAT-ted address in
> > the socket match is absolutely useless);
>
> Yeah, but in that way the "socket" match would pull in the dependency on
> the NAT module unconditonally.
Not necessarily: that part could be enclosed by #ifdef CONFIG_NF_NAT
guards.
> > * to re-introduce the tproxy table and do the socket matching and marking
> > in tproxy.
> >
> > The first option seems pretty ugly and could work for SNAT but does not
> > solve the problem with DNAT: we have the same incompatibility with
> > nat/PREROUTING DNAT rules at the moment.
> >
> > The second one is a step backwards and would break our 'user interface'
> > _again_ (sigh), but I tend to think that it is the only correct solution...
> >
>
> I see.
Erm, more feedback would be really reassuring... ;)
--
KOVACS Krisztian
More information about the tproxy
mailing list