On Fri, Dec 19, 2003 at 03:35:39PM -0500, Hanford, Seth wrote: > Does this mean that a NAT rule that tags packets will have those packets > stripped as they leave the network, but reapplied when the return connection > is NAT'd back to the privately addressed host? Is this the case for all > "keep state" connections (the returning packets are re-tagged)?
basically, yes. tho the implimentation is much much much simpler. the hint is that we disallow tagging on non-stateful rules for a reason... whenever a state is created (which is implicit wuth NAT rules), the state table entry has a pointer back to the rule it was created from. so, what actually happens is that we only ever tag the first packet of a connection, afterwards state(s) exist and no tag matchine needs to be done ever again. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
