Re: NAT
Ivan Shmakov a écrit :
> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:
>
>> [...] although IPv6 NAT could be a helpful quick and dirty hack
>> in a some situations (e. g. source NAT to work around some flaws in
>> the source address selection).
>
> Couldn't ip(8) be used for that?
Last time I checked, the 'src' option in IPv6 routes was ignored.
> $ /sbin/ip route show table myvpn
> default via <IPv4> dev <Tunnel-Iface>
>
> This rule makes all the packets for which this table was
> invoked to be routed through <Tunnel-Iface>...
>
> default dev <Tunnel-Iface> scope link src <IPv4>
>
> ... and this one apparently alters the source address
> selection.
Err... Aren't these two routes to the same destination, and thus
conflicting with each other ? In that situation the kernel will use only
one (if ask me which one, I'll say either, don't rely on it).
> For the more complicated cases, some ``mark'' (fwmark?) selector
> could be used in conjunction with iptables-based marking of
> packets.
Unfortunaltey the netfilter mark comes too late, after the source
address selection is performed. Source address selection is performed
when the packet is created, before it enters the OUTPUT chains where
marking takes place. So there is a rerouting after OUTPUT to take the
mark or destination address change into account and update the routing,
but the source address is not updated.
Reply to:
- Follow-Ups:
- Re: NAT
- From: Ivan Shmakov <oneingray@gmail.com>