Правила маршрутизации применяются к нетранслированным адресам. Вообще, работает все достаточно хитро:
NetDefend OS User Manual писал(а):
The Routing Table Selection Process
When a packet corresponding to a new connection first arrives, the processing steps are as follows
to determine which routing table is chosen:
1. The routing rules are first be looked up but to do this the packet's destination interface must be
determined and this is always done by a lookup in the main routing table. It is therefore
important that a match for the destination network is found or at least a default all-nets route
exists which can catch anything not explicitly matched.
2. A search is now made for a routing rule that matches the packet's source/destination
interface/network as well as service. If a matching rule is found then this determines the routing
table to use. If no routing rule is found then the main table will be used.
3. Once the correct routing table has been located, a check is made to make sure that the source IP
address in fact belongs on the receiving interface. The Access Rules are firstly examined to see
if they can provide this check (see Section 6.1, “Access Rules” for more details of this feature).
If there are no Access Rules or a match with the rules cannot be found, a reverse lookup in the
previously selected routing table is done using the source IP address. If the check fails then a
Default access rule log error message is generated.
4. At this point, using the routing table selected, the actual route lookup is done to find the
packet's destination interface. At this point the ordering parameter is used to determine how the
actual lookup is done and the options for this are described in the next section. To implement
virtual systems, the Only ordering option should be used.
5. The connection is then subject to the normal IP rule set. If a SAT rule is encountered, address
translation will be performed. The decision of which routing table to use is made before
carrying out address translation but the actual route lookup is performed on the altered address.
Note that the original route lookup to find the destination interface used for all rule look-ups
was done with the original, untranslated address.
6. If allowed by the IP rule set, the new connection is opened in the NetDefendOS state table and
the packet forwarded through this connection.
Вход
Регистрация
FAQ
Поиск
