snat bridge routes reply packets
azez at ufomechanic.net
Fri Sep 30 11:28:02 CEST 2005
Henrik Nordstrom wrote:
> Quite likely the problem Amin Azez is trying to address can be solved
> more cleanly by proxy-ARP + CONNMARK based policy routing than by bridge
> firewalling, but without knowing/understanding the exact layout of his
> network mess it's hard to say what it best.
Good points; the only reason the network-mess gets to bridge to the
router is that the bridge is arp-faking with ebtables to give out the
router mac address as if it were whatever the network-mess was arping
for. No doubt connmark routing would work too, I hadn't considered this;
but marks are already well used for other things.
> But I know from experience
> that bridge firewalling with NAT is very rarely the best approach in the
> long run, only perhaps the quickest if you are in a pinch with very
> limited time or prevented of doing it right.
Where the network mess cna be known in advance, I would agree, but in a
case where it "just needs to work" extending snat to bridging makes sense.
Anyway, I am proceeding with this, and appreciate the feedback. I shall
extend the snat iptables target to allow this as an optional extension.
More information about the netfilter-devel