Re: [Ebtables-devel] Re: Dynamic source MAC-NAT?
Brought to you by:
bdschuym
Menu
▾
▴
Re: [Ebtables-devel] Re: Dynamic source MAC-NAT?
|
From: Bart De S. <bds...@pa...> - 2005-12-18 15:17:09
|
Op za, 17-12-2005 te 21:03 +0100, schreef fe...@se...: > Bart De Schuymer wrote: > > The problem with dynamic macnat is that the kernel sk_buff structure > > will have to be altered, which is something the network maintainers > > don't like. Apart from that there should be no big problems implementing > > it. > > Why is the modification neccessary? As I understand it you only need to > keep a hash of tracked "connections" and mangle the *skb->data when the > packet hits. Am I missing something? Iptables conntrack uses skb->nf_conntrack to refer to the connection tracking info. If ebtables' conntracking is implemented similarly, we'd need something like that too. Suppose we don't keep this reference in the skb and we dnat mac address $a to $b in prerouting. From that point on there won't be an easy way to know if the mac destination address $b was modified or not. If the skb is dropped later on, we'll probably need to decrease the use count of the conntrack, so it can be destroyed if it's not used anymore. For iptables this is done with nf_conntrack_put (see skbuff.h) called from __kfree_skb (skbuff.c). We'll need something similar I think. cheers, Bart |
