SNAT Confusion

[Janusz Krzysztofik]

Rodre Ghorashi-Zadeh napisał(a):
> I am totally confused about the whole SNAT, snat_reroute, NFCT, etc. I 
> have downloaded Julian's NFCT patch for my kernel (centos 4.4 
> 2.6.9-42.0.10.ELsmp), patched/built/installed the kernel, echoed 1 > 
> /proc/sys/net/ipv4/vs/conntrack & and snat_reroute, wrote an iptables 
> rule that looks like this: iptables -t nat -A POSTROUTING -p tcp -s 
> $MYIP -d $RIP --dport $SOMEPORT -j SNAT --to-source $DEFAULTGATE, sent 
> the appropriate traffic that should get caught and manipulated by the 
> previous rule, experienced no results ...

Exactly as I was before. Then I reread all Julian's writings on this 
matter and understood that saying SNAT he meant changing RIP source 
address back to VIP on packets traversing LVS-NAT director back to 
clients (OUT direction).

> ... does the patch provided by Janusz Krzysztofik at 
> http://www.icnet.pl/download/ip_vs_dr-conntrack.patch allow you to at 
> least do an iptables style SNAT to LVS-DR type packets?

Yes, exactly, and not only SNAT, but full conntrack as well. But please 
remember, this is my own solution, not supported by LVS people in any 
way, and not yet commented by them, so it may stop working for future 
versions of IPVS.

Julian, Joe, Horms, maybe others, could you please share your opinions 
on this matter?

Thanks,
Janusz