Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

KOVACS Krisztian hidden at balabit.hu
Fri Mar 11 13:48:16 CET 2005


  Hi,

2005-03-11, p keltezéssel 06.18-kor Patrick McHardy ezt írta:
> >> It simply does not route packets with loopback addresses out via non
> >> loopback interfaces, and SNAT occurs at POSTROUTING...
> >> Not sure what a good solution could be, we certainly don't want to the
> >> possibility to send out packets with 127.0.0.1 as source (like some
> >> windows virus got the windows stack to do by synflooding a domain that
> >> later got changed into 127.0.0.1)
> > 
> > 
> > Maybe we can use 0 as source if LOOPBACK(src). OTOH, I don't think we
> > want to route packet with loopback source, so we may instead declare
> > this as a bad testcase :)
> 
> A different possibility would be retaining the old behaviour for
> loopback addresses and doing implicit source NAT.

  You can't do that easily anymore. 2.6.11 does not have a list of
manipulations, so you cannot do multiple source NATs at all. To make it
even more limited, nat_packet() does only one manipulation per hook, so
doing SNAT+DNAT on LOCAL_OUT is impossible.

  BTW, I think SNAT-ting pure local traffic so that it goes out on the
wire is a bad practice anyway.

-- 
 Regards,
  Krisztian Kovacs




More information about the netfilter-devel mailing list