Martin Sperl [mailto:[EMAIL PROTECTED]] wrote:
>
>We are currently experiencing strange problems with DNAT in conjunction
>with policy routing and think that we have found a bug somewhere!
>
...
>
>ip tables -t nat -I PREROUTING 1 -d B.B.B.2/32 -j DNAT --to-destination
>A.A.A.2
>
>And now the routing is as follows:
>
>using A.A.A.2 the FW routes packets to GW.A
>using B.B.B.2 the FW routes packets to GW.A
>
>SO it seems that the NAT-ed adresses are not passed to the routing core
>of Linux and thus the original adresses
>are used for the routing policy...
>
>Did we do something wrong, or is it a bug?
>
Hi Martin,
AFAIK, if I understand your setup, this is not a bug, but just an
example of how the system works.
netfilter/iptables works independently from the routing code, hence
the routing code does not know about any netfilter manipulations
like NAT.
If you look at a part of the netfilter diagram:
packet in -----> PREROUTING ----> (policy) routing ----> FORWARD --...
|
V
INPUT
You DNAT B.B.B.2 to A.A.A.2 in PREROUTING, hence to the routing code,
it will appear as if the packet comes from A.A.A.2. Your policy
routing rules/tables will make the reply go out via the A.A.A.2
address, as per your request.
So it's a feature or whatever you want to call it :-), but not
really a bug. If you want to achieve something special, maybe this
discussion should be taken to the netfilter list, or lartc.
Regards,
Filip
ps. The routing code has NAT too, it's little trickiet to get to
grips with than netfilter NAT, but maybe it can solve your problem.
Title: RE: strange effects of DNAT in connection with policy routing
