I am trying to understand the Linux 2.0.x kernel datapath for outgoing
IP packets. Specifically I am looking at the relationship between the
firewall hooks and masquerading.
Here's what I am seeing. When an outbound packet is received by the
outbound firewall hook, the IP header has been rewritten but the
packet payload has not. For example, in the case of FTP, the PORT
command shows the original IP address not the masqueraded one.
But this isn't to say the FTP PORT command isn't rewritten; it is.
It's just that it is rewritten *after* the firewall outbound hook
procedure.
Question: is there a way to change this to have all the masquerading
done for a packet (IP header and payload) *before* it is sent to the
firewall hook?
A small diagram may help explain what I'm seeing:
IP general
|
v
IP masq
(IP header rewritten)
|
v
Firewall Hook
(pass it or not)
|
v
FTP masq - w/the PORT
command, the addr is
rewritten here
|
v
Link layer
What I am inquiring about is this scenario:
IP general
|
v
IP masq
(IP header rewritten)
|
v
FTP masq - w/the PORT
command, the addr is
rewritten here
|
v
Firewall Hook
(pass it or not)
|
v
Link layer
Thanks,
Sam
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/