NAT_LOCAL_REDIRECT should be applied before LOG's

[abelbeck]

@arnova A confusing issue can up with an AstLinux user, using AIF as a router:

It was desired to NAT port TCP 8443 to port 443 on the "Local" router, so the destination address was set to 192.168.0.1, a LAN gateway interface ...

NAT_LOCAL_REDIRECT=1
NAT_FORWARD_TCP="1.2.3.4~8443>192.168.0.1~443"

This worked as expected, but this LOG was always generated:

Jul 25 10:06:35 pbx3 user.info kernel: AIF:PRIV TCP packet: IN=eth0 OUT= MAC=00:30:18:... SRC=1.2.3.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=16302 DF PROTO=TCP SPT=58305 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Normally NAT_FORWARD rewrites the packets to pass through the FORWARD chain, but in this case the IPv4 address "192.168.0.1" is associated with "Local" so it is passed via the INPUT chain. A rule added to the EXT_FORWARD_IN_CHAIN chain to normally allow this rewritten packet is not used.

After some headscratching, the NAT_LOCAL_REDIRECT=1 adds this to the EXT_INPUT_CHAIN chain:

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT

which allows DNAT'ed packets to be allowed in the INPUT chain, but this rule is added after the 'AIF:PRIV TCP packet' log (and others) so even if the DNAT'ed packet is allowed the log is generated.

I'm proposing to move the NAT_LOCAL_REDIRECT=1 conditional up, After "# Handle multicast traffic" and before "# Log packets to privileged TCP ports?"

Seem reasonable ?

[arnova]

Yeah seems reasonable. It just plain stupid the way it is now, I wonder why didn't stumble onto this before actually.

[abelbeck]

This NAT-trick only applies to router situations, where many (I do) disable dropped WAN packet logging since there is so much of it... so the log does not appear.

I'll fix this later today.