snat rules created by wanloadbanana are now applied before snat rules created by nat. this shouldn't be a problem for nat, as the wanloadbanana rules are filters on packets marked in the mangle table.

now using the new jump to target inserted by vyatta-cfg-firewall project on boot.

2 files changed, 4 insertions, 3 deletions

diff --git a/debian/control b/debian/control
index a4145c8..a4f1b37 100644
--- a/debian/control
+++ b/debian/control
@@ -12,6 +12,7 @@ Depends: sed (>= 4.1.5),
  procps (>= 1:3.2.7-3),
  vyatta-quagga | quagga,
  vyatta-cfg,
+ vyatta-cfg-firewall,
  vyatta-op,
  vyatta-bash | bash (>= 3.1),
  vyatta-config-migrate,
diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index 507d3b5..315516c 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -111,8 +111,8 @@ if so then this stuff goes here!
   if (lbdata._disable_source_nat == false) {
     execute(string("iptables -t nat -N WANLOADBALANCE"), stdout);
     execute(string("iptables -t nat -F WANLOADBALANCE"), stdout);
-    execute(string("iptables -t nat -D POSTROUTING -j WANLOADBALANCE"), stdout);
-    execute(string("iptables -t nat -A POSTROUTING -j WANLOADBALANCE"), stdout);
+    execute(string("iptables -t nat -D VYATTA_PRE_SNAT_HOOK -j WANLOADBALANCE"), stdout);
+    execute(string("iptables -t nat -I VYATTA_PRE_SNAT_HOOK 1 -j WANLOADBALANCE"), stdout);
   }
   //set up the conntrack table
   execute(string("iptables -t raw -N NAT_CONNTRACK"), stdout);
@@ -266,7 +266,7 @@ LBDecision::shutdown()
 
   //clear out nat as well
   execute("iptables -t nat -F WANLOADBALANCE", stdout);
-  execute("iptables -t nat -D POSTROUTING -j WANLOADBALANCE", stdout);
+  execute("iptables -t nat -D VYATTA_PRE_SNAT_HOOK -j WANLOADBALANCE", stdout);
 
 
   //remove the policy entries