[qca-nss-ecm]: SNAT rule is getting applied after packet passed through bridge post routing hook
/*
* In DMZ scenarios SNAT rule is getting applied on the packet after packet
* passed through bridge post routing hook
*
* Example
* Consider following scenario where both WLAN PC and eth1 are part of same bridge
* 192.168.1.3(WLAN PC)<-->192.168.1.1(DUT br-lan)---> 192.168.1.4(Eth1 PC)
* When a DNAT is applied it is observed that following NAT rules are appended in iptables
*
* -A nat_reflection_out -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 3389 -m comment --comment "wan" -j SNAT
* --to-source 192.168.1.1
* -A nat_reflection_out -s 192.168.1.0/24 -d 192.168.1.4/32 -p udp -m udp --dport 3389 -m comment --comment "wan" -j SNAT
* --to-source 192.168.1.1
*
* This Shows that SNAT is getting applied on bridged packet also. However it is observed that
* the SNAT is updated in ct after the packet has crossed this function through bridge hook.
*
* Hence Flushing the connection that was already created earlier if the ip_src_addr_nat value changes for same tuple in
* subsequent packets
*/
Change-Id: Ibc4136f7fcd8d8fbbbc639f5f94bca01432964d7
Signed-off-by: Radha krishna Simha Jiguru <rjiguru@codeaurora.org>
1 file changed