[TriLUG] why is it slow?

Aaron S. Joyner aaron at joyner.ws
Sat Sep 16 03:19:28 EDT 2006 

Brian Henning wrote:

> <snip>
>
>> and vice versa.  If someone else out there knows of a way to make 
>> this work via iptables alone, I'd be mighty interested in it, because 
>> I can't come up with a way, and it sure feels like there should be one.
>
>
> What about having one of the rules in PREROUTING and one in 
> POSTROUTING?   Such as the DNAT rule in the PREROUTING chain and the 
> SNAT rule in the POSTROUTING chain (all in the nat table)?  According 
> to this ( 
> http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif ) it 
> looks like packets do go through both PRE and POST chains in the nat 
> table before being passed back out an interface..  Though that seems 
> deceptively simple enough to figure that Joyner must have already 
> though of it and figured out why it wouldn't work..

To quote from the snipped part of the message:

>> You can do either one with the DNAT or SNAT targets in iptables, 
>> respectively.  Unfortunately, both of these targets terminate rule 
>> processing and immediately deliver your packet on it's merry way, out 
>> the interface.
>
And later in the same paragraph:

>> Some people seem to be suggesting that you can just use an additional 
>> SNAT to fix the problem (and believe me, it seemed logical before 
>> reading the iptables man page, and I did try - oh did I try), but my 
>> testing proves out that this simply does not work.  Once the packet 
>> matches the DNAT rule, you get no more opportunity to match any 
>> appropriate SNAT rules, and vice versa.
>
One of the generally common concept across *NIX based firewalling 
systems (iptables on Linux, pf on OpenBSD, ipfw2 on FreeBSD, etc) is a 
"terminating rule".  Basically, when you match such a given rule target, 
that's the end of the processing, and the packet stops traversing the 
firewall ruleset entirely, and is written to the interface.  Both SNAT 
and DNAT, according to the man page and all of my testing, are 
terminating rules.  Thus, they can't be combined w/o some crazy magic 
that I don't think exists in iptables.  At least with ipfw2 in FreeBSD, 
I know there's a nerd knob* for 'continue processing rules after any 
terminating match', but I don't know of any such option for iptables (I 
didn't look too hard, though).

>> Let it be said that I'm a died in the wool Linux fan...
>
> Aaron died in the wool?  That's tragic!  When's the funeral?
>
> ;-)

Hmm... even spell check couldn't save me from that one.  :)

Aaron S. Joyner

* - http://www.catb.org/jargon/html/N/nerd-knob.html

More information about the TriLUG mailing list