Balazs Scheidler wrote: > But what happens when you initiate a connection on the host running > netfilter, thus you have no PREROUTING chain?
You have the OUTPUT chain. > If I'm doing SNAT in POSTROUTING, the routing decision is not redone, thus > it leaves with the specified source address, but on the wrong interface. See my previous reply. > I think I now understand, have my packets marked in local OUTPUT, route > based on that mark, and SNAT based on the marks. Is this the way you > suggested? Hmm.. this sounds reasonable on the programmer's perspective, > but is difficult to maintain from the user's: it needs two rules. Yes, it requires three custom rules rather than two (there is also the routing policy rule) Having NAT reroute all packets due to source nat transformations would be a significant performance impact only to support the corner cases where it is handy.. Regards Henrik
