Jan Engelhardt wrote:
On Jan 14 2008 10:53, Patrick McHardy wrote:
But adding a new chain to the raw table is a high price, every new
netfilter hooks costs quite a bit of performance. Why not simply do
this in the mangle table? That will also make rerouting in OUTPUT
work as a side effect.
I think the issue that I tried to outrun was that if I mangle the
address in NF_IP_PRI_MANGLE, then IP_NF_PRI_CONNTRACK_HELPER and
IP_NF_PRI_CONNTRACK_CONFIRM gets confused because I change the
address after NF_IP_PRI_CONNTRACK.
IOW: conntrack sees the packet, I mangle it in mangle,
and then the other conntrack hooks get confused.
That is why I thought I need some hook after
NF_IP_PRI_CONNTRACK_CONFIRM.
They probably put the wrong address in the hash tables. The main
use for this seems to be avoiding the use of conntrack anyways,
but to make them play nicely together I guess you'd have to
mangle the conntrack tuple in case conntrack is used.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
