- 论坛徽章:
- 1
|
本帖最后由 ken1980 于 2015-09-10 20:04 编辑
注意netfilter的链接跟踪的优先级高于设置的规则,如果是已连接的包,直接用连接跟踪tuple里的信息修改IP地址,而不会到NAT表去查询规则,一条连接的第一个包(即状态为IP_CT_NEW)会查询规则,后续的包就不查询规则了,所以你测试1有效,测试2出问题
Linux/Net/Ipv4/Netfilter/nf_nat_standalone.c
case IP_CT_NEW:
if (!nf_nat_initialized(ct, maniptype)) {
unsigned int ret;
if (unlikely(nf_ct_is_confirmed(ct)))
/* NAT module was loaded late */
ret = alloc_null_binding_confirmed(ct, hooknum);
else if (hooknum == NF_IP_LOCAL_IN)
/* LOCAL_IN hook doesn't have a chain! */
ret = alloc_null_binding(ct, hooknum);
else
ret = nf_nat_rule_find(skb, hooknum, in, out,
ct) |
|
免费注册
发表于 2015-07-25 17:56
