Make nat and nft rules consistent; improve rule ordering.#549
Merged
brianmay merged 1 commit intosshuttle:masterfrom Oct 21, 2020
Merged
Make nat and nft rules consistent; improve rule ordering.#549brianmay merged 1 commit intosshuttle:masterfrom
brianmay merged 1 commit intosshuttle:masterfrom
Conversation
First, check if TTL indicates we should ignore packet (instead of checking in multiple rules later). Also, nft method didn't do this at all. Now, nft matches the behavior of nat. Second, forward DNS traffic (we may need to intercept traffic to localhost if a DNS server is running on localhost). Third, ignore any local traffic packets. (Previously, we ignored local traffic except DNS and then had the DNS rules). The nft method didn't do this previously at all. It now matches the behavior of nat. Lastly, list the subnets to redirect and/or exclude. This step is left unchanged. Excluding the local port that we are listening on is redundant with the third step, but should cause no harm. In summary, this ordering simplifies the rules in nat and eliminates differences that previously existed between nat and nft.
Contributor
Author
|
If this gets merged, I'll submit another patch that depends on this one that adds IPv6 support to the nft method. |
Member
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First, check if TTL indicates we should ignore packet (instead of
checking in multiple rules later). Also, nft method didn't do this at
all. Now, nft matches the behavior of nat.
Second, forward DNS traffic (we may need to intercept traffic to
localhost if a DNS server is running on localhost).
Third, ignore any local traffic packets. (Previously, we ignored local
traffic except DNS and then had the DNS rules). The nft method didn't
do this previously at all. It now matches the behavior of nat.
Lastly, list the subnets to redirect and/or exclude. This step is left
unchanged. Excluding the local port that we are listening on is
redundant with the third step, but should cause no harm.
In summary, this ordering simplifies the rules in nat and eliminates
differences that previously existed between nat and nft.