Interactions Between FastNAT and NetFilter

   

Interactions Between FastNAT and NetFilter

This consideration brings you to the question of the interactions between the FastNAT and the NetFilter NAT. From your studies on the packet pathing in Chapter 3, "Linux Policy Routing Structures," you assume that you could have FastNAT and NetFilter too. After all, FastNAT is implemented within the RPDB while NetFilter NAT is implemented at the PRE and POST ROUTING hook points.

Such a view does not consider the reality of the kernel packet processing functions. While ideally this would be a perfect complementary function set, the reality is that there are only a few places where the packet header may be manipulated by either system. In testing the various functions you note that so long as you do not load up the actual NetFilter NAT module, iptable_nat , you can do FastNAT. As soon as you load the iptable_nat module, FastNAT stops working even without any NetFilter NAT rules defined.

At least you understand now how each of these NAT mechanisms works and some of the uses and drawbacks of each. For granularity of NAT specification and flexibility of NAT structures you can use NetFilter. For speed, Policy Routing structures, and asymmetric routing you can use FastNAT. And you do note that by a simple addition of a Policy Routing system with FastNAT on the internal network you can perform whatever pure One-to-One NAT mechanisms you wish and pass those packets unmodified through the NetFilter box.

One other thought does strike you. When you consider the FastNAT structure you realize that in the case of only needing routing-based NAT you can use the NetFilter filter and mangle tools on the same box as a FastNAT, thus providing a way to select and filter NAT-destined packets. As a quick example you consider that by defining a packet filter on the PREROUTING hook that only allows packets destined to a certain port, you effectively allow for a FastNAT based on a single port. A whole realm of possibilities opens up for those scenarios.


   
Top


Policy Routing Using Linux
Policy Routing Using Linux
ISBN: B000C4SRVI
EAN: N/A
Year: 2000
Pages: 105

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net