Horton, Dave wrote: > Well, maybe I could use that, or more likely base my kernel module off > that code. The reason that I probably can't use the DNAT target as is, > is because I also have to inspect the packets, and for some (very small) > number of them, send the packet up to userspace for further processing. > Also, my userspace process needs to frequently (hundreds of times per > second) change the forwarding rules, so for performance reasons I want > to specify those changes via commands over a netlink socket rather than > adding and removing iptables rules. > > Does that make sense? Should I be looking at creating a target similar > to DNAT, and using that code as reference? Try to use the existing DNAT target if possible. You can make the DNAT conditional by putting all your logic in a custom match. But also consider using the ipset patch rather than a custom match. You may be able to structure the rules so you only need to update the ipset when your forwarding rules change. ipset is currently sockopt only, but netlink version is in progress. Also do your forwarding rules change per packet or per connection? Note that iptables nat is based on connection tracking. If you want per packet nat decisions (stateless nat) then use iproute2. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html