Hi, That is not possible in iptables, because there is no chain between *nat POSTROUTING and the XFRM encapsulation in Netfilter.
However, I think you can work around that by loading the nftables kernel module at the same time and creating and using a chain with the correct[1] priority, so it is called after the iptables *nat POSTROUTING chain, but before the XFRM encapsulation. In that chain, you would then call the NFLOG target similiarly as you currently do in *mangle POSTROUTING. Kind regards Noel [1] The correct priority would be between the one of the *nat POSTROUTING chain and the XFRM encapsulation. I do not know those priorities from the top of my head, but you can find that probably somewhere on the WWW. PS: The route is irrelevant On 13.09.2017 20:20, Thomas Will wrote: > > Hello, > > I have a general question about nflog. > > When i establish a vpn-con like 192.168.200.0/24 - to - 192.168.44.0/24 > > and on my site there is an interface on vpn-gw like 192.168.200.1, i am able > > to capture the output decap traffic in nflog:5 with > > iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG > --nflog-group 5 > > and > > tcpdump -ni nflog:5 > > But when i establish a vpn-conn like 192.168.11.0/24 - to - 192.168.44.0/24 > > and my local subnet is still 192.168.200.0/24 ... so i have to snat my subnet > to 192.168..11.0/24 > > iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24 -o > $WAN -j NETMAP --to 192.168.11.0/24 > > there ist no route in table 220 ... and i am not able to capture the > decapsulated IPsec out traffic > > .... > > is there any way to do this anyway? > > regards > > -- > Thomas Will > > Xinux e.K. > Wichernstrasse 18 > 66482 Zweibruecken > > Registergericht > Amtsgericht Zweibruecken > HRA 1518 > > P: +49 6332 44040 > F: +49 6332 899227 > M: +49 170 5218548 > M: +49 176 97497102 > > E: [email protected] > W: http://www.xinux.com
0x0739AD6C.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
