Open qbarnes opened 8 years ago
lunatine
commented
7 years ago Recently, I had a problem with "mangle" table in system with docker. Because, docker use DNAT and MASQUERADE for docker instances. Despite I wrote DADDR set rules, destination address(VIP) overridden host address with DNAT rules.
So, I rebuild xt_DADDR module with "raw" table. They work perfectly. But, I concerned about other side effects not yet occurred.
dmitris
commented
3 years ago The current master branch (after @wbadger's recent merge of beta/dsrtools branches) has the raw table as the default:
https://github.com/yahoo/l3dsr/blob/master/linux/dsrtools/src/dsrctl.8.sed#L68-L70
The default table is the raw table, but the mangle table may be selected with the appropriate iptables configuration.
should we close this now ["mission accomplished"]?
Someone suggested I consider using "raw" instead of the "mangle" table for this module so that it would appear in front of the conntrack module. In that way, the daddr rewriting wouldn't confuse conntrack's tracking. I tried the idea out with some limited testing, and it seems to work, but I'm cautious about the move not being able to find much documentation on the "raw" table.
I wrote a note on netdev a couple of weeks ago (https://www.mail-archive.com/netdev@vger.kernel.org/msg125234.html), but so far no help.
Has anyone also hit the problem with conntrack, tried any workarounds, or has comments on using the "raw" table?