Hi,

I was wondering what the reason is for NAT not rerouting modified packets?

If anything important is modified by a mangle rule that affects routing, the
routing decision is automatically redone as this code fragment shows:

        ret = ipt_do_table(pskb, hook, in, out, &packet_mangler, NULL);
        /* Reroute for ANY change. */
        if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE
            && ((*pskb)->nh.iph->saddr != saddr
                || (*pskb)->nh.iph->daddr != daddr
                || (*pskb)->nfmark != nfmark
                || (*pskb)->nh.iph->tos != tos))
                return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;

NAT doesn't do anything like this. So given an SNAT rule changes the source
address in POSTROUTING, the routing tables are not looked up again, so
source address dependant policy routing rules are not applied.

It might not be the best to change this by default, but it could be
implemented by a match, e.g.

iptables -t nat -A POSTROUTING -p tcp -d 0/0 --dport 25 -m reroute -j SNAT --to-source 
1.2.3.4

-m reroute would flag the packet as one which needs rerouting (using for
example a flag in nfcache). Packets flagged as such would be rerouted after
do_bindings() is called.

Opinions?

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Reply via email to