Re: netmask lengths and rdr rules

On Tue, Sep 28, 2004 at 11:41:43AM +0100, David Pick wrote:
>
> I'm trying to use a fairly complicated setup with rdr rules and I
> don't understand a feature of the NAT/RDR processing fully. There
> is a loop in the code (and the MAP code) that looks for more
> specific rules vefore less specific rules. What is *not* clear
> (although it would be if I spent *enough* time staring at the code)
> is just which part of the rule is being processed in this way.
>
> Let's take:
> rdr fxp0 from a.a.a.a/ma to b.b.b.b/mb -> r.r.r.r/mr
>
> Is the mask being tested at various precicions "ma" or "mb"? or "mr"?
>
> To put it another way, take:
> rdr fxp0 from 10.1.1.0/24 to 172.16.1.0/24 -> 192.168.1.1/32
> rdr fxp0 from 10.1.1.0/26 to 172.16.1.0/24 -> 192.168.1.1/32
> rdr fxp0 from 10.1.1.0/24 to 172.16.1.0/26 -> 192.168.1.1/32
> and a packet from 10.1.1.1 to 172.16.1.1. Since the second and third
> rules are more specific than the first, they should be found before
> the first. But *which* one will be found first?
>
> The same question applies to "map" rules: I suspect the answer is
> different from the "rdr" case...
>
> Can anyone help?...


The way I read the (4.1.3) code is that with rdr, mb is the mask that
determines how specific a rule is. If b.b.b.b/mb are equal for 2 rules,
rules are matched nin the order they appear in the config file.
With nat, it is a.a.a.a/ma that determines how specific a rule is.

Darren should correct me if I'm wrong.

-Guido