On Fri, Jun 26, 2015 at 3:48 PM, Francois Romieu <rom...@fr.zoreil.com> wrote: > Andy Lutomirski <l...@amacapital.net> : >> [re-add netdev -- I assume you meant to reply all] > > Thanks. Late friday. > >> On Fri, Jun 26, 2015 at 1:32 PM, Francois Romieu <rom...@fr.zoreil.com> >> wrote: >> > Andy Lutomirski <l...@amacapital.net> : >> > [...] >> >> Could we add some option to do SNAT and inverse DNAT before routing? >> > >> > I haven't used it for ages but what's wrong with iptables + fwmark ? >> > >> > It takes place in PREROUTING. >> >> This works, but it seems unnecessarily painful. It means that all of >> my policy rules have to be duplicated with fwmark rules based on '-m >> conntrack' or similar. > > I'd rather say that the fwmark rules will duplicate the SNAT rules since > your routing policy depends on the post SNAT source addresses. You'd > be right to complain it does not really help :o) > >> Shouldn't the order of operations be: >> >> 1. Check rp_filter. >> >> 2. Handle NAT. >> >> 3. Routing decision. >> >> ? > > The admittedly painful fwmark part would still be needed for pre-NAT > source address based policy routing (assuming SNAT loses valuable policy > information). Life would be easier for your current requirements but > some different policy requirements would be unable to avoid the > fwmark/mangle style stuff.
What kind of policy routing would care about the pre-NAT source address? AIUI, the usual use of policy routing is to *route*, not to filter. But maybe I'm missing something. > > Btw, the suggested scheme implies that filtering between SNAT and DNAT > would be done before routing, thus without INPUT vs FORWARD tainting. What do you mean by "filtering between SNAT and DNAT"? --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html