[PATCH] iptables gateway match

[Amin Azez]

This adds a gateway match to iptables that lets you match against the
routed ipv4 gateway, it's very useful for SNAT if you want to avoid
replicating your routing in your SNAT table.

e.g.

iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT
--to-address 172.16.1.5
iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT
--to-address 192.168.1.25

to help you choose the right SNAT address.

It works by comparing the to-be-matched gateway IP with the key in the
neighbor table of the next-hop (the key is the layer 3 address).

--gateway 1.2.3.4

only matches if the packet is destined to 1.2.3.4 as a ROUTE, i.e.
1.2.3.4 is not also the target address.

--nexthop 1.2.3.4

matches if the next hop is specified as 1.2.3.4 either as a gateway or
as a final destination.

It can't do magic, and match on non-routed aliases of routers, it only
matches the targeted IP address from which the layer 2 address has been
(or will be) actually derived.

The .gateway-test doesn't work for me because I don't build into my
kernel source dir, but I tried to do it right for a public release.

Signed-of by: Sam Liddicott <azez at ufomechanic.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gateway.patch
Type: text/x-patch
Size: 4524 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20070601/2f1612d8/gateway.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gateway-kernel.patch
Type: text/x-patch
Size: 4068 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20070601/2f1612d8/gateway-kernel.bin