On 12/16/2009 03:09 AM, Andrzej Odyniec wrote: > > But for asymmetric one (for this localization output route is via eth3 too > but > packet arrives via eth2) after PREROUTING chain in mangle table ping packet > enters PREROUTING chain in nat table (there is no nat rule for this > addresses) > and get stuck: > >> TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: mangle:PREROUTING:rule:1 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: mangle:tcpre:return:1 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: mangle:PREROUTING:policy:2 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: nat:PREROUTING:rule:1 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: nat:dnat:rule:1 IN=eth2 OUT= SRC=89.174.215.22 DST=195.187.140.1 >> LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662 >> SEQ=260 >> TRACE: nat:net_dnat:return:30 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 >> TRACE: nat:dnat:return:26 IN=eth2 OUT= SRC=89.174.215.22 DST=195.187.140.1 >> LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662 >> SEQ=260 >> TRACE: nat:PREROUTING:policy:2 IN=eth2 OUT= SRC=89.174.215.22 >> DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP >> TYPE=8 CODE=0 ID=12662 SEQ=260 > > I suspect changed behavior of new kernel or new Shorewall.
There is no way that I know of that Shorewall could make this happen. Have you compared the output of 'shorewall show nat' on the two different versions? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
