On Tue, Mar 26, 2002 at 11:23:40PM +0100, Patrick Schaaf wrote: > Hi all, > > reading the conntrack code, and thinking about optimizations (there are > plenty...), I come to this question: as implemented, the ip_nat_info field > of each conntrack contains an array of 'manips', max. 6 of them. Each manip > applies to a certain mask of hooks, and changes either the source or > destination IP address of the current skb. The changes happen as the > various hook functions in the NAT code are executed.
exactly. > An alternative implementation would apply address mangling to each > individual skb exactly once. For both directions, the conntracking > structure would contain the set of changes to apply to IP and protocol > addresses, and possibly there would be a _precomputed_ checksum adjust > stored within the conntrack. That breaks a lot of things, mainly that your ruleset is nolonger able to match on the best combination of source and destination address. > Now, the "step-by-step" application in the current framework, > if I understand things correctly, is visible in the iptables > rule chains in the various tables. What I wonder about is, > how many rulesets _rely_ on such "partial modifications" of > the individual skb, and what is the purpose of that usage? It's absolutely necessarry. Where would this 'single' point in the stack be? at post_routing is too late, because the routing decision is already made. So you would need to do all nat at pre_routing. this means that you do SNAT at prerouting. So your firewall ruleset will never see the real (e.g. 192.168.x.x) address of SNATed / MASQUERADEd connections. So how do you distinguish between individual clients in your internal network? This is just the most common example, of course. Another issue: how big is the optimization? How many connections do really have SNAT and DNAT at the same time? In most cases you only have one manipulation. Precomputed checksum mangling? mmh... could be interesting - but this could be implemented with the current code as well. > best regards > Patrick -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
