Re: xt_owner-xt_socket plans

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On h, jan 21, 2008 at 02:16:58 +0100, Jan Engelhardt wrote:
> >And as already mentioned, the this match depends heavily on the other
> >parts of the tproxy patchset. In fact we'd need to create a new table to
> >make it work for NAT-ted connections (the current tproxy patchset has a
> >problem with SNAT),
> 
> What problem? Maybe it's a bit shortsighted, but I guess if you just
> use the conntrack origsrc/dst instead of iph->saddr, it should be a
> no-brainer, no?

For SNAT, this would be possible. It still wouldn't work for DNAT,
however... (Imagine you have a DNAT rule on nat/PREROUTING and try to do a
socket match _before_ traversing that chain.)

> >so it wouldn't be possible to use it on
> >mangle/PREROUTING... (Do you happen to have any ideas for this new table
> >name? I wouldn't call it tproxy but something else which tells you its
> >place in the flowchart, like 'postnat' or something like that.)

-- 
KOVACS Krisztian
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux