Decision: multiple NAT?
Paul Rusty Russell
Paul.Russell@rustcorp.com.au
Fri, 01 Oct 1999 17:57:12 +0930
Hi all,
Looks like I'm going to revert a design decision in the NAT
code which I made about 3 months ago. The current NAT code has one
table of rules: when a new connection is formed, this table is
consulted, and the connection mapped according to the rule (if any)
found.
This means that you can only do EITHER a destination mapping,
OR a source mapping; I couldn't think of a good case where you'd want
to do both...
Well, it turns out that there is at least one good case: the
port-forwarding case, where you map an external destination (X)
address into an internal one (Y). When another machine on your
internal network, Z, try to connect to X, the packet is are
destination mangled to Y, but Y is on the same network and tried to
reply directly to Z, who's expecting a packet from X, not Y...
The solution is to keep two separate tables: source and a
destination mappings. This has two other benifits:
1) Cleans up the ugly code where we decided to do source mangling
on a connection, then had to undo that decision because it turns
out that the packets are destined for this box itself.
2) We can reintroduce matching out outgoing interface for source
mangling (`ipnatctl -o ppp0 -b source -m masquerade').
On the downside, there will be two table lookups for initial
connections.
Rusty.
--
Hacking time.