Hi, On h, jan 21, 2008 at 02:16:58 +0100, Jan Engelhardt wrote: > >And as already mentioned, the this match depends heavily on the other > >parts of the tproxy patchset. In fact we'd need to create a new table to > >make it work for NAT-ted connections (the current tproxy patchset has a > >problem with SNAT), > > What problem? Maybe it's a bit shortsighted, but I guess if you just > use the conntrack origsrc/dst instead of iph->saddr, it should be a > no-brainer, no? For SNAT, this would be possible. It still wouldn't work for DNAT, however... (Imagine you have a DNAT rule on nat/PREROUTING and try to do a socket match _before_ traversing that chain.) > >so it wouldn't be possible to use it on > >mangle/PREROUTING... (Do you happen to have any ideas for this new table > >name? I wouldn't call it tproxy but something else which tells you its > >place in the flowchart, like 'postnat' or something like that.) -- KOVACS Krisztian - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html