On Jan 14 2008 10:53, Patrick McHardy wrote: > But adding a new chain to the raw table is a high price, every new > netfilter hooks costs quite a bit of performance. Why not simply do > this in the mangle table? That will also make rerouting in OUTPUT > work as a side effect. I think the issue that I tried to outrun was that if I mangle the address in NF_IP_PRI_MANGLE, then IP_NF_PRI_CONNTRACK_HELPER and IP_NF_PRI_CONNTRACK_CONFIRM gets confused because I change the address after NF_IP_PRI_CONNTRACK. IOW: conntrack sees the packet, I mangle it in mangle, and then the other conntrack hooks get confused. That is why I thought I need some hook after NF_IP_PRI_CONNTRACK_CONFIRM. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
