Source nat in netfilter prerouting hooks
We are developing our own kernel module that does advanced source nat in netfilter prerouting hook. After upgrading from Linux kernel 2.6.32 (Ubuntu 10.04) to 2.6.35 (Ubuntu 10.04 lucid-back-ports) it seems that SNATted packets are simply dropped inside the Linux kernel.
I know that SNAT was never advised to be done in Prerouting hooks for general usage (Netfilter mailing list), but there are still some reasons why we would p开发者_如何转开发refer to do source natting before the actual routing decision is made.
Has anyone experience of developing kernel modules that do SNAT in netfilter prerouting hook for 2.6.35+ linux kernel? What exactly should be changed in linux-kernel/netfilter-kernel-module code so that SNATted packets would not be dropped? Maybe SNAT in prerouting is simply a bad idea for 2.6.35+ Linux kernel and we should better use nf_marks for routing decision and do the SNAT in postrouting?
I am using Ubunut 10.04 with back-ported Linux kernel (2.6.35) on X86_64.
Start with finding exact line which drops the packet.
Have you re-calculated all checksums after updating the source IP? Keep in mind that you will also need to update TCP/UDP checksums as they are based on the src/dst IP address.
精彩评论