forked from Minki/linux
c68cd6cc21
2.6.34 introduced 'conntrack zones' to deal with cases where packets from multiple identical networks are handled by conntrack/NAT. Packets are looped through veth devices, during which they are NATed to private addresses, after which they can continue normally through the stack and possibly have NAT rules applied a second time. This works well, but is needlessly complicated for cases where only a single SNAT/DNAT mapping needs to be applied to these packets. In that case, all that needs to be done is to assign each network to a seperate zone and perform NAT as usual. However this doesn't work for packets destined for the machine performing NAT itself since its corrently not possible to configure SNAT mappings for the LOCAL_IN chain. This patch adds a new INPUT chain to the NAT table and changes the targets performing SNAT to be usable in that chain. Example usage with two identical networks (192.168.0.0/24) on eth0/eth1: iptables -t raw -A PREROUTING -i eth0 -j CT --zone 1 iptables -t raw -A PREROUTING -i eth0 -j MARK --set-mark 1 iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2 iptabels -t raw -A PREROUTING -i eth1 -j MARK --set-mark 2 iptables -t nat -A INPUT -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 iptables -t nat -A POSTROUTING -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 iptables -t nat -A INPUT -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 iptables -t nat -A POSTROUTING -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 iptables -t raw -A PREROUTING -d 10.0.0.0/24 -j CT --zone 1 iptables -t raw -A OUTPUT -d 10.0.0.0/24 -j CT --zone 1 iptables -t raw -A PREROUTING -d 10.0.1.0/24 -j CT --zone 2 iptables -t raw -A OUTPUT -d 10.0.1.0/24 -j CT --zone 2 iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A OUTPUT -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A PREROUTING -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A OUTPUT -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24 Signed-off-by: Patrick McHardy <kaber@trash.net> |
||
|---|---|---|
| .. | ||
| arp_tables.c | ||
| arpt_mangle.c | ||
| arptable_filter.c | ||
| ip_queue.c | ||
| ip_tables.c | ||
| ipt_addrtype.c | ||
| ipt_ah.c | ||
| ipt_CLUSTERIP.c | ||
| ipt_ecn.c | ||
| ipt_ECN.c | ||
| ipt_LOG.c | ||
| ipt_MASQUERADE.c | ||
| ipt_NETMAP.c | ||
| ipt_REDIRECT.c | ||
| ipt_REJECT.c | ||
| ipt_ULOG.c | ||
| iptable_filter.c | ||
| iptable_mangle.c | ||
| iptable_raw.c | ||
| iptable_security.c | ||
| Kconfig | ||
| Makefile | ||
| nf_conntrack_l3proto_ipv4_compat.c | ||
| nf_conntrack_l3proto_ipv4.c | ||
| nf_conntrack_proto_icmp.c | ||
| nf_defrag_ipv4.c | ||
| nf_nat_amanda.c | ||
| nf_nat_core.c | ||
| nf_nat_ftp.c | ||
| nf_nat_h323.c | ||
| nf_nat_helper.c | ||
| nf_nat_irc.c | ||
| nf_nat_pptp.c | ||
| nf_nat_proto_common.c | ||
| nf_nat_proto_dccp.c | ||
| nf_nat_proto_gre.c | ||
| nf_nat_proto_icmp.c | ||
| nf_nat_proto_sctp.c | ||
| nf_nat_proto_tcp.c | ||
| nf_nat_proto_udp.c | ||
| nf_nat_proto_udplite.c | ||
| nf_nat_proto_unknown.c | ||
| nf_nat_rule.c | ||
| nf_nat_sip.c | ||
| nf_nat_snmp_basic.c | ||
| nf_nat_standalone.c | ||
| nf_nat_tftp.c | ||