Hello list, I 'm working on a router with xfrm policy 10.0.1.0/24 === 0.0.0.0/0, and I 'm trying to make the locally-generated packet be tunnelled too. In the iptables -m policy matching, is there any way to use specific ip as the source ip of packet, other than the origin src of the packet?
e.g. iptables -t nat -A POSTROUTING -m policy --pol none --dir out --src=10.0.1.1 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.1.1 The packet inputed has src=22.33.44.55, and I want to MASQUERADE only if there is no such a policy that match src=10.0.1.1, otherwise I want to SNAT the packet to 10.0.1.1. It's good if we can swap these two rules, then we can check the policy with the NAT-ed packet(who has src=10.0.1.1). However it's impossible since SNAT is a terminating target and the chain stop here. Currently I write a updown script which is invoked everytime a tunnel is up/down, to do some iptables stuff. If we know the tunnel is up/down, it's of course easy to write iptables rules.But I 'm wondering if there's any cleaner solutions. Any comment is appreciated. -- Zesen Qian (钱泽森) _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
