On Jan 21 2008 15:46, KOVACS Krisztian wrote: >> >> What problem? Maybe it's a bit shortsighted, but I guess if you just >> use the conntrack origsrc/dst instead of iph->saddr, it should be a >> no-brainer, no? > >For SNAT, this would be possible. It still wouldn't work for DNAT, >however... (Imagine you have a DNAT rule on nat/PREROUTING and try to do a >socket match _before_ traversing that chain.) While you are right, I do not see a use case for combining -m socket with DNAT. There are a few cases I can think of: 1. The user wants to do transparent proxying, i.e. rerouting the packet a localhost process. That is done with -m socket and -j MARK, and a reroute based on fwmark, without DNAT. 2. The user wants to forward the packet. In this case, using -m socket does not make much sense because the packet is not going to be delivered locally. 3. The packet is directly addressed to the host (e.g. 1.3.3.7) itself. The host has a secondary IPv4 address (1.3.3.8), and the user does, for whatever reason: -t nat -A PREROUTING -d 1.3.3.7 -p tcp --dport 80 \ -j DNAT --to 1.3.3.8:81 In this third case, I cannot see a reason why one would want to use -m socket in a table that comes before "nat". You are free to englighten me with a (believable) scenario not listed here that does depend on socket being in mangle, and uses DNAT :-) - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html