Re: NAT using iproute2

Hello,

Martin a écrit :
>
> I just get started using the iproute2 package instead of the good old
> ifconfig/route/arp commands, because I
> need the policy based routing funcionality. Standard IP and route
> configuration works out pretty good so far, but I'm getting problems
> enabling stateless NAT. The command
>
> # ip route add nat 192.168.50.2 via 192.168.60.2
>
> and
>
> # ip rule add nat 192.168.50.2 from 192.168.60.2
>
> should do the job both SNAT and DNAT but already the first command
> throws the error
>
> RTNETLINK answers: Invalid argument

"Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
been deprecated for quite a long time now in 2.6 kernels. It was
replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
tc in recent versions of the iproute2 package (at least 2-2.6.24).

Hi Pascal,

Pascal Hambourg <boite-a-(E-Mail Removed)> schrieb:
> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
> been deprecated for quite a long time now in 2.6 kernels. It was
> replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
> tc in recent versions of the iproute2 package (at least 2-2.6.24).

thanks a lot for this info - I guessed that somehow.

Regards,
Martin

Pascal Hambourg a écrit :
>
> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
> been deprecated for quite a long time now in 2.6 kernels. It was
> replaced in kernel 2.6.24 and above by a new stateful NAT controlled by
> tc in recent versions of the iproute2 package (at least 2-2.6.24).

Oops. I meant stateless, not stateful. Stateful NAT is the one performed
by netfilter.

Dave {Reply Address In.Sig} a écrit :
> Pascal Hambourg wrote:
>>
>> "Routing NAT" (CONFIG_IP_ROUTE_NAT) controlled by ip rule/ip route has
>> been deprecated for quite a long time now in 2.6 kernels. It was
>> replaced in kernel 2.6.24 and above by a new stateless NAT controlled
>> by tc in recent versions of the iproute2 package (at least 2-2.6.24).
>
> Is there a good HOWTO or other reading on the new stuff then?

I don't know. Maybe in the iproute2 package documentation or tc manpage.

> I wasn't aware
> the older stuff was deprecated because it's been working fine here.

What kind of kernel are you using ? It was removed from the 2.6 kernel
in version 2.6.9, which is quite old (2004). It is still supported (and
broken) in the current 2.4 kernel though.

Dave {Reply Address In.Sig} a écrit :
>>
>>> I wasn't aware
>>> the older stuff was deprecated because it's been working fine here.
>>
>> What kind of kernel are you using ? It was removed from the 2.6 kernel
>> in version 2.6.9, which is quite old (2004). It is still supported (and
>> broken) in the current 2.4 kernel though.
>
> Maybe I'm misunderstanding and mixing up what I thought was iproute2, but my
> Fedora 10 machine has iproute-2.6.27-2.fc10.i386 in its installed RPM
> database. My router machine, which is where the stuff is being used for
> real, load-sharing between a couple of internet feeds, is running 2.6.20
> kernel.

If your router machine does NAT, it is probably the *stateful* NAT from
netfilter controlled by iptables.