nf_conntrack & NAT
Patrick Schaaf
bof at bof.de
Wed Dec 7 08:00:39 CET 2005
> > Stateless? And what if you want the response (of the packets which have
> > been redirected) to come back with their initial address, as if they
> > had not been redirected? (if the client shouldn't know that, if this
> > should be transparent to him)
>
> then you need a static snat target that does this for all reply packets.
How do you expect to match those reply targets?
Be aware that REDIRECT does not mean REDIRECT-always-for-the-same
source-and-destination-pair. Such thinking would be too restrictive.
For example, I use ipset bitmaps to determine, at conntrack-NEW-time,
whether some connection should be REDIRECTed, or not. This decision,
once made, should stay stable for the same connection, even if the
ipset bitmap is modified wrt to another new connection between the
same partners.
So I at least need conntracking, and some way to _mark_ connections,
if the connection does not store a NAT decision itself. Or my usage
won't be supported for IPv6. (not a problem at the moment, but who
knows)
> stateful IPv6 NAT only over my dead body. Do you know that NAT is the
> single most destructive way that ever happened to todays internet? That
> it is the number one reason why VoIP doesn't really take off as much as
> it could? The number one reason for various non-deterministic breakage
> all over the place?
All known. All completely nonapplicable for REDIRECT.
best regards
Patrick
More information about the netfilter-devel
mailing list