Hello I have some rules inserted in the NAT table dual SNAT and DNAT for a connection They use at some moment the same port of the outside network. The problem i have is that the connection tracking in the kernel checks first the oldest rule and then the newest one. I use a system based on ARM XScale processor. Is that the default behaviour and how can i change this behaviour? Marius _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
The iptables list of rules is read top to bottom, what is the problem with this? I have my script flush the table, then add everything in the order i want it in. The only case this might be a problem is where you want to insert a rule at a specific spot in the order, without flushing the table and causing it to momentarily not exist. Right now I don''t think that is possible. - Jody On 12/18/05, Marius Corici <coricim@gmail.com> wrote:> > Hello > > I have some rules inserted in the NAT table dual SNAT and DNAT for a > connection > They use at some moment the same port of the outside network. > > The problem i have is that the connection tracking in the kernel checks > first the oldest rule and then the newest one. > I use a system based on ARM XScale processor. Is that the default > behaviour and how can i change this behaviour? > > Marius > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Maybe I mis read or summit I do not know about arm. Using FORWARD as example but iptables -L FORWARD -vn --line-numbers then doing a iptables -D FORWARD <LINENUMBER> (to remove(yes there is a miliseconds delay before the match starts happening)) and iptables -I FORWARD <LINENUMBER> -m <SUMMIT> -j <SUMMIT> No need to flush. You can even do the -I then the -D so you miss less pkts. I must of got it wrong, too obvious from man iptables. Happy Christmas, people of the Packets. On Thu, 2005-12-22 at 14:55 -0500, Jody Shumaker wrote:> The iptables list of rules is read top to bottom, what is the problem > with this? I have my script flush the table, then add everything in > the order i want it in. The only case this might be a problem is where > you want to insert a rule at a specific spot in the order, without > flushing the table and causing it to momentarily not exist. Right now > I don''t think that is possible. > > - Jody > > On 12/18/05, Marius Corici <coricim@gmail.com> wrote: > Hello > > I have some rules inserted in the NAT table dual SNAT and DNAT > for a connection > They use at some moment the same port of the outside network. > > The problem i have is that the connection tracking in the > kernel checks first the oldest rule and then the newest one. > I use a system based on ARM XScale processor. Is that the > default behaviour and how can i change this behaviour? > > Marius > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
I wish I had known about this inthe past, I just don''t recall seeing -I when I first learned iptables ages ago. Using that is definately a good way one could insert a rule with priority over pre-existing rules. I also don''t think this feature has anything to do with the processor used. Another option Marius might want to consider is -R to replace rules, though it has limitations against any rules that match multiple addresses. - Jody On 12/22/05, Oscar Mechanic <oscar@ufomechanic.net> wrote:> > Maybe I mis read or summit I do not know about arm. > > Using FORWARD as example > > but iptables -L FORWARD -vn --line-numbers > then doing a > > iptables -D FORWARD <LINENUMBER> (to remove(yes there is a miliseconds > delay before the match starts happening)) > > and > > iptables -I FORWARD <LINENUMBER> -m <SUMMIT> -j <SUMMIT> > > No need to flush. You can even do the -I then the -D so you miss less > pkts. I must of got it wrong, too obvious from man iptables. > > > Happy Christmas, people of the Packets. > On Thu, 2005-12-22 at 14:55 -0500, Jody Shumaker wrote: > > The iptables list of rules is read top to bottom, what is the problem > > with this? I have my script flush the table, then add everything in > > the order i want it in. The only case this might be a problem is where > > you want to insert a rule at a specific spot in the order, without > > flushing the table and causing it to momentarily not exist. Right now > > I don''t think that is possible. > > > > - Jody > > > > On 12/18/05, Marius Corici <coricim@gmail.com> wrote: > > Hello > > > > I have some rules inserted in the NAT table dual SNAT and DNAT > > for a connection > > They use at some moment the same port of the outside network. > > > > The problem i have is that the connection tracking in the > > kernel checks first the oldest rule and then the newest one. > > I use a system based on ARM XScale processor. Is that the > > default behaviour and how can i change this behaviour? > > > > Marius > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc