虛機中訪問外網；NAT中的POSTROUTING是怎么搞的？

看下docker中是怎么配置的網絡

在虛機中訪問外網：設定了qemu，在主機上添加路由：sudo iptables -t nat -I POSTROUTING -s 192.168.1.110 -j SNAT --to-source 192.168.0.108

設置了這句話就可以訪問外網了。

設置了兩個虛擬機：

tap0 (192.168.129.1) --->

tap1 (192,168.130.1) --->

增加nat的NAT的表項設置： sudo iptables -t nat -I POSTROUTING -s 192.168.128.0/20 -j SNAT --to-source 192.168.0.108

同時去訪問我的云主機：121.X.X.X，從兩個主機中都能ping得通，這說明在NAT記錄了這個地址，記錄著

兩個典型包：

192.168.129.110 --->云主機?? ( 192.168.0.108 ---> 云主機)

192.168.130.110 --->云主機?? ( 192.168.0.108 ---> 云主機)

NAT內部是怎么記錄的這個轉換？是記錄咋的？從云主機IP中回來了一個包，目的地址是192.168.0.108，怎么分別分流到 192.168.129.110 和 192.168.130.110 兩個 IP地址中。

難道是端口的信息在里面？接受數據包的流程

#0  icmp_rcv (skb=0xffff88007c9efc00) at net/ipv4/icmp.c:973
#1  0xffffffff816d97af in ip_local_deliver_finish (net=0xffffffff81ed8680 <init_net>, sk=<optimized out>, skb=0xffff88007c9efc00) at net/ipv4/ip_input.c:216
#2  0xffffffff816d9e45 in NF_HOOK_THRESH (thresh=<optimized out>, okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:232
#3  NF_HOOK (okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:255
#4  ip_local_deliver (skb=0xffff88007c9efc00)at net/ipv4/ip_input.c:257
#5  0xffffffff816d9a7b in dst_input (skb=<optimized out>)at ./include/net/dst.h:507
#6  ip_rcv_finish (net=0xffffffff81ed8680 <init_net>, sk=<optimized out>, skb=0xffff88007c9efc00)at net/ipv4/ip_input.c:396
#7  0xffffffff816da11e in NF_HOOK_THRESH (thresh=<optimized out>, okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:232
#8  NF_HOOK (okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:255
#9  ip_rcv (skb=0xffff88007c9efc00, dev=0xffff88007c530000, pt=<optimized out>, orig_dev=<optimized out>)at net/ipv4/ip_input.c:487
#10 0xffffffff81684eea in __netif_receive_skb_core (skb=0xffff88007c9efc00, pfmemalloc=<optimized out>)at net/core/dev.c:4211
#11 0xffffffff816878cd in __netif_receive_skb (skb=<optimized out>)at net/core/dev.c:4249
#12 0xffffffff8168793d in netif_receive_skb_internal (skb=0xffff88007c9efc00) at net/core/dev.c:4277
#13 0xffffffff81688582 in napi_skb_finish (skb=<optimized out>, ret=<optimized out>) at net/core/dev.c:4626
---Type <return> to continue, or q <return> to quit---
#14 napi_gro_receive (napi=0xffff88007c530b70, skb=0xffff88007c9efc00)at net/core/dev.c:4658
#15 0xffffffff81532db1 in e1000_receive_skb (skb=<optimized out>, vlan=<optimized out>, status=<optimized out>, adapter=<optimized out>)at drivers/net/ethernet/intel/e1000/e1000_main.c:4035
#16 e1000_clean_rx_irq (adapter=0xffff88007c5308c0, rx_ring=<optimized out>, work_done=<optimized out>, work_to_do=<optimized out>)at drivers/net/ethernet/intel/e1000/e1000_main.c:4491
#17 0xffffffff81531bb0 in e1000_clean (napi=0xffff88007c530b70, budget=64) at drivers/net/ethernet/intel/e1000/e1000_main.c:3836
#18 0xffffffff8168968a in napi_poll (repoll=<optimized out>, n=<optimized out>) at net/core/dev.c:5158
#19 net_rx_action (h=<optimized out>) at net/core/dev.c:5223
#20 0xffffffff8187c0d9 in __do_softirq () at kernel/softirq.c:284
#21 0xffffffff81058f70 in invoke_softirq () at kernel/softirq.c:364
#22 irq_exit () at kernel/softirq.c:405
#23 0xffffffff8187be94 in exiting_irq ()at ./arch/x86/include/asm/apic.h:659
#24 do_IRQ (regs=0xffffc9000006be08) at arch/x86/kernel/irq.c:251
#25 0xffffffff8187a4bf in common_interrupt ()at arch/x86/entry/entry_64.S:520
#26 0xffffc9000006be08 in ?? ()
#27 0x0000000000000000 in ?? ()

?設置完SNAT后接收icmp包: NAT是

當服務器14.17.88.99回復了一個數據包后(src=14.17.88.99 dst=115.22.112.12)，進入到wan側接口的PRE_ROUTING鏈時，
則在調用其nat相關的hook函數后，會調用函數ip_nat_packet獲取到 origin tuple 值，然后再根據 origin tuple，計算出反方向的tuple，
即為new_tuple.src = 14.17.88.99 new_tuple.dst = 192.168.1.123,然后就會根據這個新的tuple修改其目的ip地址，
修改后的數據包的目的地址即為192.168.1.123 。然后再查找路由，將數據發送到正常的lan口。這就是nat的De-SNAT

?路由地址：

ipt_do_table -->

nf_nat_ipv4_fn

?在nf_nat_ipv4_fn函數中，首先上來是：nf_ct_get，ct: conntrack,　其中涉及到的數據結構有：

ip_conntrace_info / nf_conn_nat

下面的鏈接中有一個，詳細解釋了當設置ＳＮＡＴ之后，出包和進包的一個流程

http://blog.csdn.net/lickylin/article/details/36740207

?

當數據到達路由器的wan0口，進入到PRE_ROUTING時，會先建立一個nf_conn結構，和兩個nf_conntrack_tuple（origin 與reply）

問題

１）prerouting 在哪里？

２）postrouting的代碼在哪里？

nf_conntrack_l3proto_ipv4_init 初始化的啥東西？

鏈接跟蹤正是在相應的函數中注冊了相應的函數：nf_conntrack_l3proto_ipv4_init函數，

ipv4_conntrack_in -->